本文選題：WAF + 自動(dòng)探測(cè)　； 參考：《哈爾濱工業(yè)大學(xué)》2017年碩士論文

【摘要】：目前WAF(Web Application Firewall,網(wǎng)站應(yīng)用防火墻)設(shè)備應(yīng)用得越來越廣泛,它能夠較好地阻止Web應(yīng)用層面的攻擊,并滿足我國(guó)信息系統(tǒng)安全等級(jí)保護(hù)第三級(jí)別的要求。不過對(duì)于三級(jí)等保單位,需要對(duì)WAF設(shè)備進(jìn)行安全能力評(píng)測(cè),若人工對(duì)目標(biāo)系統(tǒng)的WAF設(shè)備規(guī)則進(jìn)行探測(cè)需要耗費(fèi)大量的人力,因此本文提出了一種WAF規(guī)則自動(dòng)檢測(cè)的技術(shù),設(shè)計(jì)并實(shí)現(xiàn)了一個(gè)WAF規(guī)則自動(dòng)探測(cè)系統(tǒng),可以自動(dòng)探測(cè)生效的WAF規(guī)則,提升信息系統(tǒng)安全等級(jí)保護(hù)能力的測(cè)評(píng)效率。本文的WAF規(guī)則自動(dòng)探測(cè)所用的關(guān)鍵技術(shù)包括響應(yīng)相似度的計(jì)算、MEF算法、基于二分法的生效字符組合探測(cè)、字符檢測(cè)樹以及攻擊載荷規(guī)則庫的設(shè)計(jì)。響應(yīng)相似度的計(jì)算對(duì)于兩個(gè)響應(yīng)要進(jìn)行多維度的比較,包括是否停止響應(yīng)、響應(yīng)碼是否相同以及響應(yīng)內(nèi)容的字符串相似度是多少。比較響應(yīng)相似度的目的是分離WAF響應(yīng)和正常響應(yīng)。MEF算法中文名稱為最小元素優(yōu)先法,解決的問題是找出多個(gè)關(guān)鍵字組成的字符串的檢測(cè)結(jié)果為真時(shí),其中所有可使檢測(cè)結(jié)果為真的關(guān)鍵字組合,基本思想是小組合數(shù)的關(guān)鍵字組合要優(yōu)先進(jìn)行檢測(cè)�；诙址ǖ纳ё址M合探測(cè)解決的問題是找出字符串檢測(cè)結(jié)果為真時(shí),字符串中唯一的使檢測(cè)結(jié)果為真的字符組合�；舅枷胧遣粩喽植檎易址凶钣业挠行ё址Ｗ址麢z測(cè)樹的功能是對(duì)正則表達(dá)式的通配符進(jìn)行探測(cè),能夠完美辨識(shí)7種通配符。攻擊載荷規(guī)則庫的設(shè)計(jì)是本文的核心技術(shù),該庫設(shè)計(jì)的完整程度將直接影響WAF規(guī)則的探測(cè)結(jié)果。目前攻擊載荷規(guī)則庫包括SQL注入、XSS、LFI(本地文件包含)、PHP木馬四種攻擊類型。本文使用這些關(guān)鍵技術(shù)設(shè)計(jì)并實(shí)現(xiàn)了WAF規(guī)則自動(dòng)探測(cè)與發(fā)現(xiàn)系統(tǒng),系統(tǒng)根據(jù)不同功能劃分為三大模塊:網(wǎng)站過濾檢測(cè)模塊、攻擊向量生成模塊、過濾規(guī)則生成模塊。網(wǎng)站過濾檢測(cè)模塊的功能是提取網(wǎng)站W(wǎng)AF響應(yīng)特征供后續(xù)模塊使用;攻擊向量生成模塊的功能是發(fā)送不同類型的攻擊載荷對(duì)網(wǎng)站進(jìn)行探測(cè),得到不同攻擊載荷的響應(yīng)結(jié)果并歸類;過濾規(guī)則生成模塊的功能是利用攻擊向量生成模塊得到的惡意字符串列表,針對(duì)每個(gè)字符串進(jìn)行變形探測(cè),從而獲得WAF規(guī)則正則表達(dá)式。最后使用本系統(tǒng)對(duì)十家網(wǎng)站進(jìn)行了WAF規(guī)則的探測(cè),大部分得到了比較好的探測(cè)結(jié)果。
[Abstract]:At present, WAF(Web Application Firewall (website Application Firewall) equipment is more and more widely used, it can better prevent the attack of Web application level, and meet the requirement of the third level of information system security level protection in our country. However, it is necessary to evaluate the security capability of the WAF equipment for the third level iso-guarantee unit. If it takes a lot of manpower to detect the WAF equipment rules of the target system manually, this paper proposes a technique of automatic detection of the WAF rules. An automatic detection system for WAF rules is designed and implemented, which can automatically detect the effective WAF rules and improve the efficiency of evaluating the ability of information system security grade protection. The key techniques used in automatic detection of WAF rules in this paper include the computation of similarity, the effective character combination detection based on dichotomy, the character detection tree and the design of attack load rule base. The calculation of response similarity requires a multi-dimensional comparison between the two responses, including whether the response stops, whether the response code is the same and what the string similarity of the response content is. The purpose of comparing the response similarity is to separate the WAF response from the normal response. The Chinese name of the algorithm is minimum element first method. The problem is to find out when the detection result of the string composed of multiple keywords is true. All of them can make the result of detection true keyword combination, the basic idea is that the key combination of group number should be detected first. The problem of effective character combination detection based on dichotomy is to find out that when the result of string detection is true, the only character combination in the string is true. The basic idea is to constantly binary search string in the right-most valid character. The function of character detection tree is to detect wildcard characters of regular expressions. The design of attack load rule library is the core technology in this paper. The integrity of the library design will directly affect the detection results of WAF rules. At present, the attack payload rule library includes SQL injection XSS-LFI (the local file contains four attack types of SQL Trojan horse. This paper designs and implements the automatic detection and discovery system of WAF rules using these key technologies. According to different functions, the system is divided into three modules: website filter detection module, attack vector generation module, filter rule generation module. The function of the website filter detection module is to extract the WAF response features of the website for use by the subsequent modules, the function of the attack vector generation module is to send different attack loads to detect the site, and the response results of the different attack loads are obtained and classified. The function of the filter rule generation module is to generate the list of malicious strings by using the attack vector to detect the deformation of each string and obtain the regular expression of the WAF rule. Finally, the system is used to detect the WAF rules of ten websites, and most of the results are good.
【學(xué)位授予單位】：哈爾濱工業(yè)大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2017
【分類號(hào)】：TP393.092

【參考文獻(xiàn)】

相關(guān)期刊論文 前6條

1 何軍;;基于云計(jì)算的Web防御系統(tǒng)研究[J];網(wǎng)絡(luò)安全技術(shù)與應(yīng)用;2017年03期

2 沈金萍;;第39次《中國(guó)互聯(lián)網(wǎng)絡(luò)發(fā)展?fàn)顩r統(tǒng)計(jì)報(bào)告》發(fā)布我國(guó)網(wǎng)民達(dá)7.3億[J];傳媒;2017年03期

3 沈逸;楊楊;;2016年世界網(wǎng)絡(luò)安全態(tài)勢(shì)盤點(diǎn)[J];汕頭大學(xué)學(xué)報(bào)(人文社會(huì)科學(xué)版);2017年01期

4 ;2016年全球網(wǎng)絡(luò)空間安全與治理回顧[J];信息安全與通信保密;2017年01期

5 Sophia;;2015年度中國(guó)互聯(lián)網(wǎng)站安全報(bào)告安全 漏洞頻發(fā) 網(wǎng)絡(luò)攻擊行為加劇[J];信息安全與通信保密;2016年02期

6 趙磊;孫海星;;WAF在企業(yè)網(wǎng)站系統(tǒng)中的應(yīng)用研究[J];工業(yè)技術(shù)創(chuàng)新;2015年03期

相關(guān)碩士學(xué)位論文 前1條

1 趙星;Web漏洞挖掘與安全防護(hù)研究[D];中北大學(xué);2016年

，

本文編號(hào)：1840826