Nothing Special   »   [go: up one dir, main page]

CN114598546A - Application defense method, device, equipment, medium and program product - Google Patents

Application defense method, device, equipment, medium and program product Download PDF

Info

Publication number
CN114598546A
CN114598546A CN202210292050.6A CN202210292050A CN114598546A CN 114598546 A CN114598546 A CN 114598546A CN 202210292050 A CN202210292050 A CN 202210292050A CN 114598546 A CN114598546 A CN 114598546A
Authority
CN
China
Prior art keywords
attack
defense
application
server
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210292050.6A
Other languages
Chinese (zh)
Other versions
CN114598546B (en
Inventor
魏兴
旷亚和
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210292050.6A priority Critical patent/CN114598546B/en
Publication of CN114598546A publication Critical patent/CN114598546A/en
Application granted granted Critical
Publication of CN114598546B publication Critical patent/CN114598546B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/72Code refactoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The disclosure provides an application defense method, an application defense device, application defense equipment, application defense storage media and application defense program products for an application server, and relates to the field of information security. The method comprises the following steps: receiving a request message for accessing the application server; detecting attack content in the request message based on a first detection rule; and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode. The embodiment of the disclosure can enable the application to have a defense function, does not depend on special protection equipment, and avoids the problem of access performance possibly existing in the protection of the external safety equipment. The disclosure also provides an application defense method, device, equipment, storage medium and program product for defending the server.

Description

Application defense method, device, equipment, medium and program product
Technical Field
The present disclosure relates to the field of information security, and more particularly, to an application defense method, apparatus, device, medium, and program product.
Background
With the development of internet technology, hackers have more frequent attack on application systems, so that the problem of network security is worthy of attention. The above attack behavior refers to any type of attack action on the application system, such as destroying, hijacking, or modifying the application system without authorization. In the related art, attack behaviors can be quickly discovered and blocked by using special protection equipment. For example, the attack behavior detection is performed at the application level by using devices such as application firewalls.
In implementing the disclosed concept, the inventors found that there are at least the following problems in the related art: the defense of the application system depends on the protective equipment, and when the access requests are highly concurrent, the protective equipment may have insufficient processing capacity, and the access requests are easy to block, so that the access performance is influenced.
Disclosure of Invention
In view of the above, the present disclosure provides a method, apparatus, device, medium, and program product by which an application itself can implement attack defense.
In one aspect of the embodiments of the present disclosure, an application defense method is provided, where the application defense method is used for an application server, and includes: receiving a request message for accessing the application server, wherein the request message comprises a first network address of a client initiating access; detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server; and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
According to an embodiment of the present disclosure, further comprising: adding the first network address into a blacklist, wherein the blacklist comprises at least one blacklist address; and/or sending the first network address to a defense server, wherein the defense server is used for carrying out communication connection with the N application servers, and N is an integer greater than or equal to 1.
According to an embodiment of the present disclosure, further comprising: receiving a second network address sent by the defense server; and updating the second network address to the blacklist.
According to an embodiment of the present disclosure, further comprising: receiving a second detection rule sent by the defense server; updating the first detection rule based on the second detection rule.
According to an embodiment of the present disclosure, includes: inserting an attack judgment code into the request processing function in a byte code instrumentation mode; wherein the detecting attack content in the request message based on the first detection rule, wherein the attack content including content that produces attack behavior on the application server includes: and running the attack judgment code to detect the attack content, wherein the attack judgment code is used for executing the first detection rule.
According to an embodiment of the present disclosure, the running the attack determination code to detect the attack content includes: matching the first network address with a blacklist address in a blacklist list, wherein the blacklist list comprises at least one blacklist address; and/or matching a message field in the request message with a preset attack field.
According to an embodiment of the present disclosure, includes: inserting a content acquisition code into the request processing function in a byte code instrumentation manner; before blocking the first network address, further comprising: and operating the content acquisition code to acquire the first network address and/or the attack content.
Another aspect of the embodiments of the present disclosure provides an application defense method, configured to defend a server, where the server is configured to perform communication connection with N application servers, where N is an integer greater than or equal to 1, and the method includes: receiving attack processing information sent by a first application server, wherein the first application server is any one of the N application servers, and the attack processing information comprises a first network address which is forbidden by the first application server; wherein the first application server is configured to perform the following operations: receiving a request message for accessing the first application server, wherein the request message comprises the first network address of a client initiating access; detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server; and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
According to an embodiment of the present disclosure, further comprising: and sending the first network address to a second application server, wherein the second application server is configured to add the first network address to a blacklist, the second application server is any one of the N application servers except the first application server, and the blacklist includes at least one blacklist address.
According to an embodiment of the present disclosure, further comprising: sending a second network address to the N application servers, wherein the N application servers are configured to add the second network address to a blacklist, the second network address comprises an address directly added at the defense server, and the blacklist comprises at least one blacklist address.
According to an embodiment of the present disclosure, further comprising: sending a second detection rule to the N application servers, wherein the N application servers are configured to update the first detection rule based on the second detection rule.
Another aspect of the disclosed embodiments provides an application defense apparatus, configured to an application server, including: a request receiving module, configured to receive a request packet for accessing the application server, where the request packet includes a first network address of a client initiating access; the attack detection module is used for detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server; and the address blocking module is used for operating an attack defense code in a request processing function to block the first network address under the condition that the request message comprises the attack content, wherein the attack defense code is inserted into the request processing function in a byte code pile insertion mode.
Another aspect of the embodiments of the present disclosure provides an application defense apparatus, configured to defend a server, where the server is configured to perform communication connection with N application servers, where N is an integer greater than or equal to 1, and the apparatus includes: the information receiving module is used for receiving attack processing information sent by a first application server, wherein the first application server is any one of the N application servers, and the attack processing information comprises a first network address which is forbidden by the first application server; wherein the first application server is configured to perform the following operations: receiving a request message for accessing the first application server, wherein the request message comprises the first network address of a client initiating access; detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server; and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
Another aspect of the disclosed embodiments provides an electronic device, including: one or more processors; a storage device to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method as described above.
Another aspect of the embodiments of the present disclosure also provides a computer-readable storage medium having executable instructions stored thereon, which when executed by a processor, cause the processor to perform the method as described above.
Yet another aspect of the disclosed embodiments provides a computer program product comprising a computer program that when executed by a processor implements the method as described above.
One or more of the above embodiments have the following advantageous effects:
compared with a mode of defending attack by using special protection equipment, the attack defense code can be inserted into the request processing function by using a byte code pile insertion technology, and if the attack content in the request message is detected to exist based on the first detection rule, the network address in the request message is forbidden by running the attack defense code, so that the application has a defense function, does not depend on the special protection equipment, and avoids the problem of access performance possibly existing in protection by depending on external safety equipment.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of an application defense method according to an embodiment of the present disclosure;
FIG. 2 schematically shows a flow chart of an application defense method for an application server according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a schematic diagram of bytecode instrumentation, according to an embodiment of the disclosure;
FIG. 4 schematically shows a flow chart for obtaining message content according to an embodiment of the disclosure;
FIG. 5 schematically shows a flow diagram for detecting attack content according to an embodiment of the disclosure;
FIG. 6 schematically shows a flow chart of an application defense method for defending a server in accordance with an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow diagram of a multi-party interaction execution application defense method according to another embodiment of the present disclosure;
fig. 8 schematically shows a block diagram of an application defense apparatus for an application server according to an embodiment of the present disclosure;
FIG. 9 is a block diagram schematically illustrating an application defense apparatus for defending a server in accordance with an embodiment of the present disclosure;
FIG. 10 schematically illustrates a block diagram of an electronic device suitable for implementing an application defense method in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In order to facilitate understanding of the technical solutions of the present application, some technical terms related to the present application are described below.
The client side comprises: also called as a client, refers to a program corresponding to a server and providing application services to a user. It may be installed on the user's terminal device, for example in the form of an Application installation package (Application) on a smartphone, or running a web page in the form of a browser client.
The application server side: may be deployed on an application server. The application services are implemented using code that provides business logic for the application. It provides an access mechanism for the client to use, thereby matching with the client to meet the user's needs.
Request message: the access request initiated by the client includes an HTTP (Hyper Text Transfer Protocol) request or an HTTPs (Hyper Text Transfer Protocol over secure session layer) request. The request message is a message sent by the access request. For example, the HTTP message content may include a request Header (Header) and an entity (Body), where the request Header (Header) includes a start line and a Header field, and the entity is a message Body. The client is an initiator of the access request, and the application server is a responder of the access request.
A request processing function: and the application server is used for processing the access request, analyzing the request message and returning the response information. The function consists of at least one piece of service code written according to a programming language, such as C, C + +, Go, Java, or python, among others.
Code: computer language instructions written in accordance with a programming language may be executed by a computer.
The defense server side: the method is used for interacting with the application server, such as receiving the forbidden network address, or sending the network address, the detection rule, and the like. And manages defense services for one or more application servers. The application server side realizes the defense function by executing the codes such as the content acquisition codes, the attack judgment codes, the attack defense codes and the like.
Inserting a byte code: for example, inserting a piece of code into another piece of code through some policy (e.g., Java agent, javasist, etc.), or replacing another piece of code to implement bytecode enhancements. Unlike instrumentation at the client or binary instrumentation, the bytecode instrumentation of embodiments of the present disclosure implements code instrumentation at the application server.
With the development of network security, how to quickly discover and block attack behaviors is an important issue in the field of security protection. A general application defense method may use a firewall, an Intrusion Prevention System (IPS), and other devices to perform detection at a network layer, and if an attack behavior is found, the firewall or the IPS is disabled, and such a method cannot implement detection of encrypted traffic. And the detection can be carried out at an application level by utilizing equipment such as an application firewall and the like. However, devices such as firewalls are prone to access performance problems, resulting in protection failures. In addition, as cloud computing develops, many applications are deployed in a cloud environment, and deployment of protective equipment becomes difficult.
Embodiments of the present disclosure provide an application defense method, apparatus, device, medium, and program product for an application server. Compared with a mode of defending attack by using special protection equipment, the attack defense code can be inserted into the request processing function by using a byte code pile insertion technology, and if the attack content in the request message is detected to exist based on the first detection rule, the network address in the request message is forbidden by running the attack defense code, so that the application has a defense function, does not depend on the special protection equipment, and avoids the problem of access performance possibly existing in protection by depending on external safety equipment.
Embodiments of the present disclosure also provide an application defense method, apparatus, device, medium, and program product for defending a server. The defense server is connected with at least one application server in a communication mode, so that the defense conditions of one or more application servers can be managed, and the overall defense capability of the application servers is improved.
Fig. 1 schematically shows an application scenario diagram of an application defense method according to an embodiment of the present disclosure.
As shown in FIG. 1, the application scenario 100 according to this embodiment may include N first servers (e.g., servers 111-11N), a second server 120, networks 131 and 132, and terminal devices 141, 142 and 143. Network 131 is the medium used to provide communication links between end devices 141, 142, and 143 and any of the first servers. The network 132 serves as a medium for providing a communication link between the second server 120 and any one of the first servers. Networks 131 and 132 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may use terminal devices 141, 142 and 143 to interact with any of the first servers via network 131 to receive or send messages or the like. Various client applications may be installed on the end devices 141, 142, and 143, such as a shopping-type application, a web browser application, a search-type application, an instant messaging tool, a mailbox client, social platform software, and the like (by way of example only). In some embodiments, the user may use the terminal devices 141, 142, and 143 to interact with the second server 120 through the networks 131 and 132, which is not described herein.
The terminal devices 141, 142, and 143 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The first server or the second server 120 may be a server providing various services, such as a background management server (for example only) providing support for websites browsed by users using the terminal devices 141, 142, and 143. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device.
According to an embodiment of the disclosure, an application server may be deployed in any one of the first servers. The N first servers may be servers that provide services for one application system based on a distributed architecture, or servers that deploy different application systems. A defense server may be deployed in the second server 120.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The application defense method according to the embodiment of the present disclosure will be described in detail below with reference to fig. 2 to 7 based on the scenario described in fig. 1.
Fig. 2 schematically shows a flowchart of an application defense method for an application server according to an embodiment of the present disclosure.
As shown in fig. 2, the application defense method of this embodiment includes operations S210 to S240.
In operation S210, a request message for accessing an application server is received, where the request message includes a first network address of a client initiating an access.
Illustratively, an application server may receive access by multiple clients. The first network Address is an IP Address (Internet Protocol Address) of the client that accesses this time.
In operation S220, attack content in the request message is detected based on a first detection rule, where the attack content includes content that produces an attack behavior on the application server.
Illustratively, the request Header (Header) and the entity (Body) of the request message include a plurality of fields, such as a request method field, a URL field, a version field, etc., or a computer-executable instruction consisting of one or more fields. And detecting a plurality of fields in the request message to judge whether the attack content exists.
In some embodiments, the obtaining of the content of the request message may be performed by other services or devices, and the first detection rule may also be performed by other services or devices. For example, a request interception service is set before the application server, and after the content is acquired and delivered to the application server for detection, it is determined whether there is attack content.
In some embodiments, after receiving the access request, the application server may send the access request to the defense server, and after the defense server performs detection, the application server performs attack behavior processing according to a detection result.
In operation S230, in a case that the request packet includes the attack content, the attack defense code in the request processing function is run to block the first network address, where the attack defense code is inserted into the request processing function in a bytecode instrumentation manner.
Illustratively, the attack defense code is composed of at least one piece of code having a function of processing the attack behavior. For example, blocking the first network address may be intercepting access traffic for the address, preventing the IP from initiating further scans of the client, protecting the secure operation of the application. Further, it may be that the processing of the request message is interrupted, and a status code (service unavailable) is returned 404 directly, preventing further processing of the request. The first network address may also be added to a blacklist.
Illustratively, the request processing function may be customized by the user, or may use a function provided in a specification code library. In some embodiments, it may be inserted into a function provided by a canonical code base. The method has the advantages that functions provided by the standard code library have unified function names and structures, and the pile inserting success rate is convenient to improve.
Compared with the application defense by using additional protective equipment, the embodiment of the disclosure can insert the attack defense code into the request processing function by using a byte code instrumentation technology, and if the attack content in the request message is detected based on the first detection rule, the attack defense code is operated to block the network address in the request message, so that the application has a defense function, does not depend on special protective equipment any more, and avoids the access performance problem possibly existing in dependence on external protective equipment.
Fig. 3 schematically illustrates a schematic diagram of bytecode instrumentation according to an embodiment of the disclosure. Fig. 4 schematically shows a flow chart for obtaining message content according to an embodiment of the present disclosure.
As shown in fig. 4, the acquiring of the message content in this embodiment includes operations S410 to S420.
In operation S410, a content acquisition code is inserted into the request processing function by means of bytecode instrumentation.
Before blocking the first network address in operation S230, operation S420 may be performed to execute the content acquiring code to acquire the first network address and/or attack content.
Referring to fig. 3, the content acquisition code may include an HTTP request information acquisition code and a client IP acquisition code. The HTTP request information obtaining code may obtain fields (including information such as a URL of a request, an HTTP request header, and an HTTP request body) other than the IP address in the request message, so that the fields may be detected to obtain the attack content.
In some embodiments, the client IP acquisition code may acquire the first network address. For example, the client IP obtaining code first determines whether specific header information exists in the request, and generally, after the request is forwarded by proxy software, a specific header is added to attach a real IP address. If no IP header information exists, the IP address is acquired through a getRemoteAddr () method.
According to the embodiment of the disclosure, the content acquisition code is inserted in a byte code instrumentation manner, so that each access information can be effectively acquired, the attack behavior can be conveniently and rapidly positioned, and the response efficiency is improved. Even under the high concurrency condition, the content of the request message is obtained based on the server resource operation code of the server, and the problem of blocking caused by insufficient performance of the protective equipment can be avoided.
Fig. 5 schematically shows a flow chart of detecting attack content according to an embodiment of the present disclosure.
As shown in fig. 5, detecting attack content of this embodiment includes operations S510 to S520.
In operation S510, an attack determination code is inserted into the request processing function by means of bytecode instrumentation.
Referring to fig. 3, the attack determination code may be inserted into code in an existing application, such as an HTTP request processing function of a server. The attack defense code in operation S230 may include IP block code, which is also code inserted into an existing application by means of bytecode instrumentation.
Detecting attack content in the request message based on the first detection rule in operation S220 may include operation S520. In operation S520, attack contents are detected by executing an attack judgment code for executing a first detection rule.
Illustratively, the attack-judging code is also composed of at least one piece of code. The execution logic of the codes comprises the logic of the first detection rule. In some embodiments, the attack judgment code executes the first detection rule to compare the attack behavior according to the url and body information of the extracted HTTP request.
In some embodiments, the attack determination code may invoke a simulation environment, execute the first detection rule including simulating a processing request packet, and determine whether there is a bad factor in a processed result. The simulation environment may be the same execution logic as the application server.
In other embodiments, performing the first detection rule includes a discrepancy analysis. Specifically, the content in the request message is compared with a preset message template, and whether a difference exists is judged. If the message template is a non-attack template, detecting the difference part if the difference exists, or directly blocking. If the message template is an attack template, directly sealing if no difference exists.
In other embodiments, the attack determination code may call a pre-trained neural network model, and the executing the first detection rule includes inputting the content of the request packet into the neural network model to obtain a classification result of the request packet by the model, such as an attack packet or a non-attack packet.
According to the embodiment of the disclosure, bytecode enhancement can be realized by using the instrumentation technology, and the comprehensive application of the content acquisition code, the attack judgment code and the attack defense code is combined, so that the attack behavior can be rapidly positioned, meanwhile, real-time blocking is performed aiming at the attack IP, and the response efficiency is improved. On one hand, the method can break through the limitation of the traditional network layer detection, and realizes the attack detection on the encrypted traffic (HTTPS) by detecting the access request of the application layer, so that the detection accuracy is higher. On the other hand, the functions of attack detection and malicious IP blocking can be injected by the application without the help of an external safety protection tool, and the real-time performance and the integration of content acquisition, detection and blocking are realized.
According to the embodiment of the disclosure, running the attack judgment code to detect the attack content comprises: and matching the first network address with a blacklist address in a blacklist, wherein the blacklist comprises at least one blacklist address.
For example, the first detection rule may include a blacklist comparison rule. If the client IP address of the current request hits the blacklist, a status code is returned 404 directly, preventing further processing of the request.
In some embodiments, executing the first detection rule includes implementing attack behavior detection based on analysis of the input structure and syntax. The correlation field may also be associated with a regular expression (which includes detection logic). For example, the message field in the request message is matched with a preset attack field in a regular comparison mode.
Illustratively, the attack behavior includes file traversal (such as occurrence of a./../. in the request), sql injection (such as occurrence of 1 ' or ' 1 ' in the request), file uploading (such as a request header Type of Content-Type: multipart/form-data and a request body containing a common trojan characteristic) or XSS attack (such as occurrence of malicious javascript code in the request), and other attack characteristics, and if the request matches a preset attack field successfully, the request is determined to be an attack request, the client IP of the current request is recorded, and blocking is performed.
Fig. 6 schematically shows a flowchart of an application defense method for defending a server according to an embodiment of the present disclosure.
As shown in fig. 6, the application defense method of this embodiment includes operations S610 to S640. The defense server is used for being in communication connection with the N application servers, and the communication connection means that the defense server and the N application servers can realize information interaction by utilizing a network.
In operation S610, attack processing information sent by a first application server is received, where the first application server is any one of the N application servers, and the attack processing information includes a first network address that is forbidden by the first application server. The first application server may execute the application defense method of any embodiment described in fig. 2 to fig. 5 to block the first network address, which is not described herein again.
In some embodiments, the defense server may display the attack processing information, so that relevant people can intuitively know the attack behaviors encountered by each application server.
For example, the attack processing information may further include running information of an application server where the first application server is located, for example, the first application server maintains a heartbeat connection with the defense server. The heartbeat connection is responsible for sending real-time information of the application server and real-time IP blocking information to the defense server side at a certain frequency. The heartbeat information represents that the application and the instrumentation code are in a survival state, the problems of downtime and the like do not exist, and the real-time operation information and the real-time IP blocking information of the application server in the heartbeat can reflect the load condition and the attack interception condition of the application server.
Illustratively, the defense server is responsible for managing heartbeat information and real-time IP block information uploaded by each application server. The information uploaded by the application servers is uniformly managed by the defense server. The user can see information such as the running state of a server where each application server is located, an attack IP address, malicious request flow sent by the attack IP, IP block time and the like on the defense server, and visually displays the real-time running information and the defense execution state of the application.
According to the embodiment of the disclosure, the defense server is connected with at least one application server in a communication mode, so that the defense conditions of one or more application servers can be managed, and the overall defense capability of the application servers is improved.
In operation S620, the first network address is sent to a second application server, where the second application server is configured to add the first network address to a blacklist, and the second application server is any one of the N application servers except for the first application server.
According to the embodiment of the disclosure, the attack address found by a certain application server is shared, and if other application servers receive a request from the address, the attack address can be directly blocked after being matched with the blacklist, and an attack judgment code does not need to be operated, so that the computing resource is saved, and the overall defense capability is improved.
In operation S630, second network addresses are sent to the N application servers, where the N application servers are configured to add the second network addresses to a blacklist, and the second network addresses include addresses directly added at the defense server.
In some embodiments, the second network address may also be added directly at the defense server. The defense server may send the second network address to the N application servers, so that each application server receives the second network address sent by the defense server, and updates the second network address to the blacklist. The method has the effect that each application server is not limited to own attack judgment capability any more, and can receive attack addresses found on the network in time and realize rapid defense, for example.
In operation S640, the second detection rule is transmitted to the N application servers, wherein the N application servers are configured to update the first detection rule based on the second detection rule.
In some embodiments, the first detection rule may be one or more and the corresponding second detection rule may be one or more. The updating of the first detection rule may be to use the second detection rule as the newly added first detection rule, or may be to replace part or all of the original first detection rule.
According to the embodiment of the disclosure, the detection rules can be updated uniformly by using the defense server, so that the situations that the rules are not uniform and the defense capability is not consistent due to the fact that each application server manages the detection rules respectively, or omission is easily caused when related personnel maintain a plurality of application servers are avoided.
It should be noted that, although the operations S610 to S640 are described in sequence, the present disclosure does not limit the sequence of the operations. The operations may be executed simultaneously or independently in sequence.
FIG. 7 schematically shows a flow diagram of a multi-party interaction execution application defense method according to another embodiment of the disclosure.
As shown in fig. 1, the application defense method of this embodiment may be executed by the client, the first application server, the defense server, and the second application server interactively, and may include operations S701 to S712.
In operation S701, the client initiates an access request to the first application server.
In operation S702, instrumentation code is loaded at a first application server. The instrumentation code may include a content acquisition code, an attack judgment code, and an attack defense code, among others.
In operation S703, the content acquisition code is run to acquire the content of the request message.
In operation S704, the content acquisition code is executed to acquire a client IP address.
In operation S705, it is determined whether there is attack content in the request message. If not, operation S706 is performed, and if yes, operation S707 is performed.
In operation S706, the request message is processed and response information is returned.
In operation S707, the client IP address is added to the blacklist and returned to 404 the status code, and is sent to the defense server.
In operation S708, the defense server sends the client IP address to the second application server, and the second application server adds the IP address to the blacklist.
In operation S709, the defense server sends the locally newly added IP address to the second application server, and the second application server adds the IP address to the blacklist.
In operation S710, the defense server sends the locally added IP address to the first application server, and the first application server adds the IP address to the blacklist.
In operation S711, the defense server sends the locally newly added attack detection rule to the second application server, so that the second application server is updated.
In operation S712, the defense server sends the locally added attack detection rule to the first application server, so that the first application server is updated.
According to the embodiment of the disclosure, malicious attacks to the application system can be monitored, and the IP which initiates the attacks can be sealed in real time. Specifically, each piece of request information received by the application is detected in a byte code instrumentation mode, when the request information is judged to contain attack characteristics, an IP (Internet protocol) blocking function is started, a client IP corresponding to the request is listed in a blacklist, and the IP flow in the blacklist is prevented from continuously accessing the protected application. Meanwhile, the intercepted IP address, the attack request information, the blocking time and other information are sent to the defense server. The defense server is responsible for managing the application servers, and arranging and storing the intercepted information in a warehouse in real time and displaying the intercepted information to users.
It should be noted that, although the operations S701 to S712 are described in sequence, the present disclosure does not limit the sequence of the operations. The operations may be executed simultaneously or independently in sequence.
Based on the application defense method, the disclosure also provides an application defense device. The apparatus will be described in detail below with reference to fig. 8 and 9.
Fig. 8 schematically shows a block diagram of an application defense apparatus for an application server according to an embodiment of the present disclosure.
As shown in fig. 8, the application defense apparatus 800 of this embodiment may include a request receiving module 810, an attack detection module 820, and an address blocking module 830.
The request receiving module 810 may perform operation S210, and is configured to receive a request packet for accessing an application server, where the request packet includes a first network address of a client initiating an access.
The attack detection module 820 may perform operation S220 to detect attack content in the request message based on the first detection rule, where the attack content includes content that produces an attack behavior on the application server.
The address blocking module 830 may perform operation S230, and is configured to execute an attack defense code in the request processing function to block the first network address when the request packet includes the attack content, where the attack defense code is inserted into the request processing function in a bytecode instrumentation manner.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include a bytecode instrumentation module for inserting at least one of the attack determination code, the content acquisition code, and the attack defense code into the request processing function by means of bytecode instrumentation.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include an information collecting module, configured to collect real-time operation information of the application server, such as information about CPU utilization, memory usage, and the like. The method can also be used for running the content acquisition code and acquiring the first network address and/or the attack content.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include a heartbeat maintaining module, configured to send the collected real-time information of the application server and the real-time IP blocking information to the defense server at a certain frequency.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include an address receiving module, configured to receive the second network address sent by the defense server. And updating the second network address to a blacklist.
According to an embodiment of the present disclosure, the application defense apparatus 800 may further include a rule receiving module, configured to receive the second detection rule sent by the defense server. The first detection rule is updated based on the second detection rule.
Fig. 9 schematically shows a block diagram of an application defense apparatus for defending a server according to an embodiment of the present disclosure.
As shown in fig. 9, the application defense apparatus 900 of this embodiment may include an information receiving module 910.
The information receiving module 910 may execute operation S610, and is configured to receive attack processing information sent by a first application server, where the first application server is any one of the N application servers, and the attack processing information includes a first network address blocked by the first application server. The first application server may perform operations S210 to S230.
According to an embodiment of the present disclosure, the application defense apparatus 900 may further include a sending module, where the sending module is configured to send the first network address to the second application server, send the second network address to the N application servers, or send the second detection rule to the N application servers.
It should be noted that the implementation, solved technical problems, implemented functions, and achieved technical effects of each module/unit/subunit and the like in the apparatus part embodiment are respectively the same as or similar to the implementation, solved technical problems, implemented functions, and achieved technical effects of each corresponding step in the method part embodiment, and are not described herein again.
According to the embodiments of the present disclosure, any of the modules of the application defense apparatus 800 or the application defense apparatus 900 may be combined and implemented in one module, or any one of the modules may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module.
According to an embodiment of the present disclosure, at least one module of the application defense 800 or the application defense 900 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, at least one of the modules of the application defense device 800 or the application defense device 900 may be implemented at least partly as a computer program module, which when executed, may perform a corresponding function.
FIG. 10 schematically illustrates a block diagram of an electronic device suitable for implementing an application defense method in accordance with an embodiment of the present disclosure.
As shown in fig. 10, an electronic device 1000 according to an embodiment of the present disclosure includes a processor 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. Processor 1001 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1001 may also include onboard memory for caching purposes. The processor 1001 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the present disclosure.
In the RAM 1003, various programs and data necessary for the operation of the electronic apparatus 1000 are stored. The processor 1001, ROM 1002, and RAM 1003 are connected to each other by a bus 1004. The processor 1001 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1002 and/or the RAM 1003. Note that the programs may also be stored in one or more memories other than the ROM 1002 and the RAM 1003. The processor 1001 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 1000 may also include an input/output (I/O) interface 1005, the input/output (I/O) interface 1005 also being connected to bus 1004, according to an embodiment of the present disclosure. Electronic device 1000 may also include one or more of the following components connected to I/O interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication section 1009 including a network interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1002 and/or the RAM 1003 described above and/or one or more memories other than the ROM 1002 and the RAM 1003.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 1001. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication part 1009, and/or installed from the removable medium 1011. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program performs the above-described functions defined in the system of the embodiment of the present disclosure when executed by the processor 1001. The above described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (16)

1. An application defense method is used for an application server side and comprises the following steps:
receiving a request message for accessing the application server, wherein the request message comprises a first network address of a client initiating access;
detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server;
and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
2. The method of claim 1, further comprising:
adding the first network address into a blacklist, wherein the blacklist comprises at least one blacklist address; and/or
And sending the first network address to a defense server, wherein the defense server is used for carrying out communication connection with the N application servers, and N is an integer greater than or equal to 1.
3. The method of claim 2, further comprising:
receiving a second network address sent by the defense server;
and updating the second network address to the blacklist.
4. The method of claim 2, further comprising:
receiving a second detection rule sent by the defense server;
updating the first detection rule based on the second detection rule.
5. The method of claim 1, comprising:
inserting an attack judgment code into the request processing function in a byte code instrumentation mode;
wherein the detecting attack content in the request message based on the first detection rule comprises:
and running the attack judgment code to detect the attack content, wherein the attack judgment code is used for executing the first detection rule.
6. The method of claim 5, wherein the executing the attack determination code to detect the attack content comprises:
matching the first network address with a blacklist address in a blacklist list, wherein the blacklist list comprises at least one blacklist address; and/or
And matching the message field in the request message with a preset attack field.
7. The method according to any one of claims 1 or 5, comprising:
inserting a content acquisition code into the request processing function in a byte code instrumentation manner;
before blocking the first network address, further comprising:
and operating the content acquisition code to acquire the first network address and/or the attack content.
8. An application defense method is used for defending a server, the defending server is used for carrying out communication connection with N application servers, N is an integer greater than or equal to 1, and the method comprises the following steps:
receiving attack processing information sent by a first application server, wherein the first application server is any one of the N application servers, and the attack processing information comprises a first network address which is forbidden by the first application server;
wherein the first application server is configured to perform the following operations:
receiving a request message for accessing the first application server, wherein the request message comprises the first network address of a client initiating access;
detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server;
and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
9. The method of claim 8, further comprising:
and sending the first network address to a second application server, wherein the second application server is configured to add the first network address to a blacklist, the second application server is any one of the N application servers except the first application server, and the blacklist includes at least one blacklist address.
10. The method of claim 8, further comprising:
sending a second network address to the N application servers, wherein the N application servers are configured to add the second network address to a blacklist, the second network address comprises an address directly added at the defense server, and the blacklist comprises at least one blacklist address.
11. The method of claim 8, further comprising:
sending a second detection rule to the N application servers, wherein the N application servers are configured to update the first detection rule based on the second detection rule.
12. An application defense device for an application server, comprising:
a request receiving module, configured to receive a request packet for accessing the application server, where the request packet includes a first network address of a client initiating access;
the attack detection module is used for detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server;
and the address blocking module is used for operating an attack defense code in a request processing function to block the first network address under the condition that the request message comprises the attack content, wherein the attack defense code is inserted into the request processing function in a byte code pile insertion mode.
13. An application defense device for defending a server, the defense server being configured to perform communication connection with N application servers, N being an integer greater than or equal to 1, the device comprising:
the information receiving module is used for receiving attack processing information sent by a first application server, wherein the first application server is any one of the N application servers, and the attack processing information comprises a first network address which is forbidden by the first application server;
wherein the first application server is configured to perform the following operations:
receiving a request message for accessing the first application server, wherein the request message comprises the first network address of a client initiating access;
detecting attack content in the request message based on a first detection rule, wherein the attack content comprises content for generating attack behaviors on the application server;
and under the condition that the request message comprises the attack content, an attack defense code in a request processing function is operated to block the first network address, wherein the attack defense code is inserted into the request processing function in a byte code insertion mode.
14. An electronic device, comprising:
one or more processors;
a storage device to store one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-10.
15. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform a method according to any one of claims 1 to 10.
16. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 10.
CN202210292050.6A 2022-03-23 2022-03-23 Application defense method, device, apparatus, medium and program product Active CN114598546B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210292050.6A CN114598546B (en) 2022-03-23 2022-03-23 Application defense method, device, apparatus, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210292050.6A CN114598546B (en) 2022-03-23 2022-03-23 Application defense method, device, apparatus, medium and program product

Publications (2)

Publication Number Publication Date
CN114598546A true CN114598546A (en) 2022-06-07
CN114598546B CN114598546B (en) 2024-06-14

Family

ID=81819209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210292050.6A Active CN114598546B (en) 2022-03-23 2022-03-23 Application defense method, device, apparatus, medium and program product

Country Status (1)

Country Link
CN (1) CN114598546B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134139A (en) * 2022-06-27 2022-09-30 中国工商银行股份有限公司 Network attack processing method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107305606A (en) * 2016-04-20 2017-10-31 中兴通讯股份有限公司 The processing method and processing device of application file and the access method of file and device
CN110535857A (en) * 2019-08-29 2019-12-03 中国工商银行股份有限公司 The method and apparatus of protecting network attack
CN113162945A (en) * 2021-05-07 2021-07-23 北京安普诺信息技术有限公司 Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113486277A (en) * 2021-06-15 2021-10-08 北京华胜久安科技有限公司 Web application access method and device, electronic equipment and storage medium
CN113971279A (en) * 2021-10-21 2022-01-25 中国工商银行股份有限公司 Network security management method, server and network security competition system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107305606A (en) * 2016-04-20 2017-10-31 中兴通讯股份有限公司 The processing method and processing device of application file and the access method of file and device
CN110535857A (en) * 2019-08-29 2019-12-03 中国工商银行股份有限公司 The method and apparatus of protecting network attack
CN113162945A (en) * 2021-05-07 2021-07-23 北京安普诺信息技术有限公司 Vulnerability detection analysis method and device and vulnerability verification method and system based on vulnerability detection analysis method and device
CN113486277A (en) * 2021-06-15 2021-10-08 北京华胜久安科技有限公司 Web application access method and device, electronic equipment and storage medium
CN113297577A (en) * 2021-06-16 2021-08-24 深信服科技股份有限公司 Request processing method and device, electronic equipment and readable storage medium
CN113971279A (en) * 2021-10-21 2022-01-25 中国工商银行股份有限公司 Network security management method, server and network security competition system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115134139A (en) * 2022-06-27 2022-09-30 中国工商银行股份有限公司 Network attack processing method and device

Also Published As

Publication number Publication date
CN114598546B (en) 2024-06-14

Similar Documents

Publication Publication Date Title
US11714906B2 (en) Reducing threat detection processing by applying similarity measures to entropy measures of files
US11824878B2 (en) Malware detection at endpoint devices
CN109716343B (en) Enterprise graphic method for threat detection
US10523609B1 (en) Multi-vector malware detection and analysis
US9838419B1 (en) Detection and remediation of watering hole attacks directed against an enterprise
Zimba et al. Crypto mining attacks in information systems: An emerging threat to cyber security
EP2756437B1 (en) Device-tailored whitelists
EP4097944B1 (en) Metadata-based detection and prevention of phishing attacks
US20120222117A1 (en) Method and system for preventing transmission of malicious contents
US11636208B2 (en) Generating models for performing inline malware detection
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
CN112703496B (en) Content policy based notification to application users regarding malicious browser plug-ins
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
US11374946B2 (en) Inline malware detection
CN111400722A (en) Method, apparatus, computer device and storage medium for scanning small program
CN105550593A (en) Cloud disk file monitoring method and device based on local area network
EP3579523A1 (en) System and method for detection of malicious interactions in a computer network
US20210250375A1 (en) Network attack defense method, apparatus, device, system and storage medium
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
Arul et al. Supervised deep learning vector quantization to detect MemCached DDOS malware attack on cloud
CN114598546B (en) Application defense method, device, apparatus, medium and program product
WO2021212739A1 (en) Network attack defense method and apparatus, device, system and storage medium
CN111181914B (en) Method, device and system for monitoring internal data security of local area network and server
KR102676386B1 (en) Inline malware detection
CN114598524A (en) Method, device, equipment and storage medium for detecting agent tool

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant