Summary of the invention
The present invention is intended to one of solve the problems of the technologies described above at least.
For this reason, one object of the present invention be to propose a kind of can online detection and online interception attack that said website is carried out, effectively guarantee the network security detection method of network security.
Another object of the present invention is to propose a kind of network security detection system.
For realizing above-mentioned purpose, the network security detection method that first aspect present invention embodiment proposes may further comprise the steps: the website of user's submission is comprised the safety analysis and the assessment of leak; Confirm the type and the quantity of said leak according to said analysis and assessment result; Type and quantity according to said leak are estimated to confirm the safe class of said website said website; And said leak is repaired according to the type of said leak.
In addition, network security detection method according to the above embodiment of the present invention can also have following additional technical characterictic:
In one embodiment of the invention, said network security detection method also comprises: detect said website and whether have leak.
Further, use a cover testing standard to said website; Result based on using said cover testing standard to a said website judges whether said website exists leak.
In one embodiment of the invention, a said cover testing standard comprises following function: detect said website and whether have the judgement that said access request is comprised the unauthorized access request; Said website is comprised the said website of leak and the security vulnerabilities check of the Website server provided services on the Internet in said website.
In one embodiment of the invention, according to said type and the quantity that obtains said leak based on the said cover testing standard of application to the result of said website.
In one embodiment of the invention, the type of said leak comprises high-risk leak, middle danger leak and low danger leak.
In one embodiment of the invention, according to predefined quantity given a mark in said website to high-risk leak, middle danger leak and the low danger corresponding evaluation criterion of leak and said high-risk leak, middle danger leak and low danger leak.
In one embodiment of the invention; Said type according to said leak is repaired said leak; Further comprise: based on the result who uses said cover testing standard to a said website, the protection rule that generation one cover is used for said website limits with the relevant information in each territory with said protection rule of guaranteeing said access request according to said.
Network security detection system according to second aspect present invention embodiment; Comprise: the leak analysis device; Be used for the website that the user submits to is comprised the safety analysis and the assessment of leak, and confirm the type and the quantity of said leak according to said analysis and assessment result; The website evaluator is used for according to the type and the quantity of said leak said website being estimated to confirm the safe class of said website; With the leak obturator, be used for said leak being repaired according to the type of said leak.
In addition, network security detection system according to the above embodiment of the present invention can also have following additional technical characterictic:
In one embodiment of the invention, said network security detection system also comprises: vulnerability scanners is used to detect said website and whether has leak.
In one embodiment of the invention, said vulnerability scanners is used to use a cover testing standard to said website, and based on the result who uses said cover testing standard to a said website, judges whether said website exists leak.
In one embodiment of the invention, a said cover testing standard comprises following function: detect said website and whether have the judgement that said access request is comprised the unauthorized access request; Said website is comprised the said website of leak and the security vulnerabilities check of the Website server provided services on the Internet in said website.
In one embodiment of the invention, said vulnerability scanners also is used for according to said based on using a said cover testing standard obtains said leak to the result of said website type and quantity.
In one embodiment of the invention, the type of said leak comprises high-risk leak, middle danger leak and low danger leak.
In one embodiment of the invention, said website evaluator is used for according to predefined quantity to high-risk leak, danger leak and the low danger corresponding evaluation criterion of leak and said high-risk leak, middle danger leak and low danger leak being given a mark in said website.
In one embodiment of the invention; Said leak obturator is used for according to said based on the result who uses said cover testing standard to a said website; Generation one cover is used for the protection rule of said website to be checked with the relevant information in each territory with said protection rule of guaranteeing said access request, and judges whether said access request is tackled according to testing result.
Network security detection method and system according to the embodiment of the invention; Can carry out online detection through the leak that exists in the source code of analog access request mode to the website, for example, when visiting a certain website; Can be through the information of in the website, importing; To whether existing leaks such as SQL injection to test and analyze in the source code of website, and obtain the type and the quantity of leak, thereby the security performance of website is estimated marking automatically according to test result; The level of security of prompting user website, the user can judge whether that this website of continuation visit is perhaps repaired the website leak according to evaluation result thus.Embodiments of the invention adopt corresponding protection rule that leak is carried out online reparation, for example through the type and the quantity of leak; Generation is with type (action=post), type of variables and quantity (two variablees of shielded URL (URL=/login.jsp), request; Num and psw, wherein num is made up of numerical character ' 0 '-' 9 ', psw is made up of alphanumeric character ' 0 '-' 9 ' or ' a '-' z ' or ' A '-' Z ') and the length of variable (length of num is set to 6 characters; The length of psw is set to 6-8 character) use on this website; Thus, when the user illegally imports, the website will be repaired the result according to this website will be protected; Thereby the potential safety hazard of having avoided leak to bring is effectively avoided the possibility of hacker to the malicious attack of website simultaneously.Greatly guaranteed the safety of network.
Additional aspect of the present invention and advantage part in the following description provide, and part will become obviously from the following description, or recognize through practice of the present invention.
Embodiment
To describe embodiments of the invention in detail now, the example of said embodiment is shown in the drawings.Though show specific embodiment, it should be understood that not mean that and limit the invention to these specific embodiments.On the contrary, present invention resides in the spirit and interior the substituting, revise and be equal to of scope of appended claim.Illustrating a plurality of details is for the complete understanding of the theme that this paper is proposed is provided.But those of ordinary skill in the art should understand, can not use these details to implement this theme.In other cases, do not describe known method, program, parts and circuit in detail, thereby avoid unnecessarily making the aspect of present embodiment fuzzy.
Although this paper possibly use a technical term first, second or the like various elements are described, these elements are not limited by these terms should.These terms only are used for an element and another element are differentiated.For example first order standard can be called second order standard, and similarly, second order standard can be called first order standard, without departing from the scope of the invention.First order standard and second order standard all are order standards, but they are not identical order standards.
The term that uses in the description of the invention among this paper only is in order to describe the purpose of specific embodiment, and does not mean that limitation of the present invention.Employed in the description like the present invention and accompanying claims, singulative " " " a kind of " and " said " mean and also comprise plural form, point out only if context is clear in addition.Should also be understood that term as used herein " and/or " represent and comprise one or more projects of listing that is associated any one might make up with institute.Also should further understand; When in specification, using; Term " comprise " and/or specify " comprising " statement characteristic, operation, element and/existence of parts, but do not get rid of the existence or the interpolation of one or more other characteristics, operation, element, parts and/or their group.
As used herein, based on context, term " if " can be regarded as and be meant " when " or " ... the time " " in response to confirming " or " according to ... confirm " or " in response to detecting ", the prerequisite of statement is real.Similarly; Based on context, phrase " if confirm [prerequisite of statement is real] " or " if [prerequisite of statement is real] " or " when [prerequisite of statement is real] " can be regarded as and be meant " confirming ... the time " " in response to confirming " or " according to .... confirm " " in detection ... the time " or " corresponding to detection " prerequisite of stating be real.
Below in conjunction with accompanying drawing the network security detection method according to the embodiment of the invention is described at first.
Referring to Fig. 1, the network security detection method according to the embodiment of the invention comprises the steps:
Step S101 comprises the safety analysis and the assessment of leak to the website of user's submission.When a certain website of user capture; The embodiment of the invention is carried out safety analysis and assessment to the website of user capture; Particularly; The leak that exists in the website analyzed and leak assessed for example use a cover testing standard, and based on the result who uses said cover testing standard to a said website, thereby judge the type and the kind of leak in the website to this website.
Step S102 is according to analyzing and assessment result is confirmed the type and the quantity of leak.Particularly; Result based on above-mentioned application one cover testing standard to website; Thereby can judge the type and the quantity of the leak that exists in the website; As a concrete example, suppose then can also confirm the quantity etc. of this type leak according to analyzing leak that the leak type that obtains with assessment result comprises SQL injection type.In this example, the type of leak comprises high-risk leak, middle danger leak and low danger leak.The definition of its high-risk leak, middle danger leak and low danger leak can be carried out artificial evaluation in advance according to the extent of injury of leak; For example, the leak for existing SQL to inject can be defined as high-risk type; This is that harm is big because the leak that SQL injects causes the leakage of information easily.Certainly, this is a kind of artificial evaluation mode, and it can adjust the type of leak as the case may be.It will be appreciated that the type that defines in the above-mentioned leak only is exemplary for three types like high-risk leak, middle danger leak and low danger leak etc.; Also can be defined as other form, like a level vulnerability, two level vulnerabilities, three level vulnerabilities etc., certainly; The tier definition of leak also can be adjusted as the case may be; As for number of site, possibly be high-risk leak in other website, and for this website, possibly be middle danger leak etc.Specifically how to define leak grade type and leak grade, embodiments of the invention are to this not restriction.
Step S103 estimates to confirm the safe class of said website said website according to analysis and assessment result.Particularly, in some embodiments of the invention, according to predefined quantity to high-risk leak, middle danger leak and the low danger corresponding evaluation criterion of leak and high-risk leak, middle danger leak and low danger leak to website give a mark (evaluation); Thereby judge the safe class of this website, in this example, suppose that the website is under ideal state; The situation that does not promptly have any potential safety hazard; Evaluation score is 100 minutes, can preestablish high-risk leak, middle danger leak and low danger leak, and every appearance once reduces 10 fens accordingly, graded in 5 minutes and 2; Like this, can make the user at calculating and terminal be well understood to fail safe with the website of visit.Further; The evaluation of safe class can be set according to mark; For example mark is 1 in the safe class between 90 to 100, the safe class of mark between 70 to 90 is 2 etc.; Like this, the website is estimated, the user is got information about the fail safe with access websites according to the type and the kind of leak.Certainly, the described evaluation criterion of embodiments of the invention is not limited to aforesaid way, and embodiments of the invention are to this not restriction.
Step S104 repairs said leak according to the type of said leak.Particularly; Can be according to overlapping the extremely result of said website of testing standard based on using said one; Generation one cover is used for the protection rule of said website to be checked with the relevant information in each territory with said protection rule of guaranteeing said access request, and judges whether access request is tackled according to testing result.In other words, a cover testing standard for example includes but not limited to following several kinds: 1, whether the website is corresponding with shielded URL.2, what the type of access request is.3, how much type of variables and quantity is.4, how much length of each variable is.Can generate the protection rule that a cover is used for the website through above-mentioned testing standard, the protection rule that for example generates for testing standard in above-mentioned 4 as follows:
Thus, make and in the access request checking with the relevant information in each territory protection rule, then according to check result judge in the access request with above-mentioned protection rule in relevant information whether meet the regular access type that is limited of above-mentioned protection etc.If meet the type that limits in the above-mentioned protection rule; Show that then access request is legal; Otherwise access request is tackled, do not allow this access request that Website server is conducted interviews, thus; Logically realized reparation, avoided because the attack that the website leak causes unauthorized access that the website is brought to the website.In one embodiment of the invention, above-mentioned reparation to leak is online repair mode, promptly in the process of user capture Website server; In real time access request is carried out online detection, and the website is repaired in real time, as a concrete example; After detecting leak, leak is shown to the user; And, after the user clicks the button of " a key reparation ", said leak is repaired comprehensively to the button that the user provides " a key reparation ".
Therefore, the protection rule application that is used for said website through above-mentioned generation is in the website, thereby realizes the reparation to the website, prevents that the hacker from attacking network through the leak that the website exists, and guaranteed the fail safe of network.
In examples more of the present invention, also can whether exist leak to detect to the website, particularly, detect the website and whether have leak.In an example of the present invention, being operating as that it is concrete used a cover testing standard to this website, and based on the result who uses above-mentioned cover testing standard a to website, judges whether the website exists leak.
Particularly: above-mentionedly be used to detect the testing standard whether website exist leak and include but not limited to following function:
1, detects website (in the code of website) and whether have the judgement that said access request is comprised the unauthorized access request.
2, said website is comprised the said website of leak and the security vulnerabilities check of the Website server provided services on the Internet in said website.
In case have security breaches in the source code of website, the hacker just possibly utilize the such security breaches in the source code of website to attack Website server.Therefore, through leak is detected, further guaranteed the fail safe of website.
To the scanning of leak with repair all online carrying out, for example, during a certain website of user capture, can carry out online vulnerability scanning and reparation to the website source code of this website in the embodiment of the invention through the mode of the embodiment of the invention.Under the situation that does not influence user's use, guarantee the fail safe of network.
In some embodiments of the invention, the reparation of leak is based on that above-mentioned testing standard generates, and the reparation of leak can be carried out after vulnerability scanning is accomplished, and also can carry out work such as vulnerability scanning and leak reparation simultaneously.In addition, also can carry out the scanning of leak individually, perhaps carry out the leak reparation individually.Need to prove that embodiments of the invention all belong to protection scope of the present invention to the reparation of leak and the not restriction of context of scanning.
As shown in Figure 2, further embodiment of the present invention has proposed a kind of network security detection system.This network security detection system 200 comprises vulnerability scanners 230, leak analysis device 210, website evaluator 220 and leak obturator 230.
Wherein, leak analysis device 210 is used for the website that the user submits to is comprised the safety analysis and the assessment of leak, and confirms the type and the quantity of said leak according to said analysis and assessment result.Website evaluator 220 is used for according to the type of leak and quantity said website being estimated to confirm the safe class of said website.Leak obturator 230 is used for according to the type of said leak said leak being repaired.
Particularly, in conjunction with Fig. 2, network security detection system 200 is applied in the network system, and network system comprises Website server 101, one or more terminal equipment 102, name server (DNS) and network security detection system 200 generally.Website server 101 storage and preserve a plurality of websites 103 and when the access request of receiving from terminal equipment 102, they are offered terminal equipment 102.One or more information record programs (cookie) that each terminal equipment 102 comprises various client applications (for example, web browser), client auxiliary routine, be associated with different Website servers or the like.DNS is configured to be used for domain name is associated with the network equipment such as Website server 101.Network security detection system 200 comprises vulnerability scanners 230, leak analysis device 210, website evaluator 220 and leak obturator 230, and in this example, network security detection system 200 also can comprise the protection rule database 240 that some are used to store etc.
In network security detection system 200, before the issue of website, at first carry out vulnerability scanning and leak analysis and leak and handle through 200 pairs of websites of network security detection system.Particularly, the access request after name server (DNS) will be resolved is sent to leak analysis device 210, and leak analysis device 210 will carry out safety analysis and assessment to the website that access request is visited, and particularly, comprises the leak of website is analyzed and assessed.
Because the security breaches in the source code of website have different source (different types).For example, if do not comprise the logic that is used for the verification msg inlet that is provided by terminal use's data or the information of wherein carrying such as information record program in the website, the website just possibly have security breaches so.In case security breaches come to light, the hacker just possibly utilize the such security breaches in the source code of website to attack Website server.Therefore, the scanning of leak has further been guaranteed the safety of website.
Further; Embodiments of the invention comprise that the leak in 250 pairs of website source codes of vulnerability scanners scans and can scan leak through the analog access request mode; For example; Through the analysis to real website visiting request, but whether the test access request comprises whether unauthorized access request, access request comprise that SQL (SQL) injects and whether access request comprises that cross site scripting (XSS) etc. can endanger the leak of network security.Thereby through the analysis of the above-mentioned leak that exists in 240 pairs of websites of leak analysis device, thereby determine the type and the quantity of leak, in the present embodiment, the type of leak is divided into high-risk leak, middle danger leak and low danger leak.Particularly; Based on the result of above-mentioned application one cover testing standard to website, thereby can judge whether the website exists leak, and can easily judge the type and the quantity of leak according to The above results; For example: whether be the SQL injection loophole, but and the quantity of SQL injection etc.In this example, the type of leak includes but not limited to high-risk leak, middle danger leak and low danger leak.The definition of its high-risk leak, middle danger leak and low danger leak can be carried out artificial evaluation in advance according to the extent of injury of leak, for example, and for the leak that exists SQL to inject; Can be defined as high-risk type; This is that harm is big because the leak that SQL injects causes the leakage of information easily, certainly; This is a kind of artificial evaluation mode, and it can adjust the type of leak as the case may be.
Further, website evaluator 220 can be estimated to confirm the safe class of said website said website according to the type and the quantity of said leak.Particularly, given a mark (evaluation) in the website, thereby judge the safe class of this website according to predefined quantity to high-risk leak, middle danger leak and the low danger corresponding evaluation criterion of leak and high-risk leak, middle danger leak and low danger leak; In this example; Suppose the website under ideal state, promptly do not have the situation of any potential safety hazard, evaluation score is 100 minutes; Can preestablish high-risk leak, middle danger leak and low danger leak; Every appearance once reduces 10 fens accordingly, graded in 5 minutes and 2, like this, can make the user at calculating and terminal be well understood to the fail safe with the website of visit.Further; The evaluation of safe class can be set according to mark; For example mark is 1 in the safe class between 90 to 100, the safe class of mark between 70 to 90 is 2 etc.; Like this, the website is estimated, the user is got information about the fail safe with access websites according to the type and the kind of leak.
After leak is analyzed; Can repair through 230 pairs of leaks of leak obturator; Particularly; Based on the result who uses said cover testing standard to a said website, generation one cover is used for the protection rule of said website to be checked with the relevant information in each territory with said protection rule of guaranteeing said access request leak obturator 230, and judges whether access request is tackled according to testing result according to said.For example to confirming whether URL, request type, types of variables and the quantity, the variable-length that are associated with access request satisfy current protection rule.Thus, in case there is leak in the website, suppose to comprise the leak that injects like SQL; Then, can this SQL of input be injected information, fill in like character string forms with predetermined form through this protection rule; For example; For above-mentioned " select * from studentInfo where sid=' 1 or 1=1 ", can 1 or 1=1 of user's input be regarded as is a common character string, and promptly 1 or 1=1's can't exert an influence to the implication of SQL statement; Thereby the leak in the website is repaired, and guarantees the fail safe of network.In other words; Can generate the protection rule that a cover is used for the website through above-mentioned testing standard the relevant information in each territory with the protection rule of access request is checked, then according to check result judge in the access request with above-mentioned protection rule in relevant information whether meet the regular access type that is limited of above-mentioned protection etc.If meet the type that limits in the above-mentioned protection rule; Show that then access request is legal; Otherwise access request is tackled, do not allow this access request that Website server is conducted interviews, thus; Logically realized reparation, avoided because the attack that the website leak causes unauthorized access that the website is brought to the website.In certain embodiments, the protection rule is kept in the protection rule database 240.
In certain embodiments, vulnerability scanners 250 is used a cover testing standard to said website, thereby the security inspection of website is included, but not limited to following project:
1, whether the test access request comprises illegal part;
2, said website is comprised the said website of leak and the security vulnerabilities check of the Website server provided services on the Internet in said website.
Thereby embodiments of the invention through whether the website is existed to access request comprise the unauthorized access request judgement, said website is comprised the said website of leak and the security vulnerabilities check of the Website server provided services on the Internet in said website, can detect the website and whether have potential leak.
Network security detection method and system according to the embodiment of the invention; For example carry out online detection through the leak that exists in the source code of analog access request mode to the website; As when visiting a certain website, can to whether there being leaks such as SQL injection in the source code of website testing and analyze through the information of in the website, importing; And obtain the type and the quantity of leak according to test result; Thereby the security performance to the website is estimated marking automatically, the level of security of prompting user website, and the user can judge whether to continue this website of visit or the website leak is carried out online reparation etc. according to evaluation result thus.Embodiments of the invention adopt corresponding protection rule that leak is repaired, for example through the type and the quantity of leak; Generation is with type (action=post), type of variables and quantity (two variablees of shielded URL (URL=/login.jsp), request; Num and psw, wherein num is made up of numerical character ' 0 '-' 9 ', psw is made up of alphanumeric character ' 0 '-' 9 ' or ' a '-' z ' or ' A '-' Z ') and the length of variable (length of num is set to 6 characters; The length of psw is set to 6-8 character) use on this website; Thus, when the user illegally imports, the website will be repaired the result according to this website will be protected; Thereby the potential safety hazard of having avoided leak to bring is effectively avoided the possibility of hacker to the malicious attack of website simultaneously.Greatly guaranteed the safety of network.
Although a plurality of logic steps of particular sorted shown in some in various accompanying drawings, other steps can resequenced and combined or inserted to the step that does not rely on order.Though mention some rearrangements or other combinations especially, other rearrangements or combination should be significantly for those skilled in the art, therefore do not reintroduce the full list of substitute mode.For example, STB possibly send untreated audio signal to television content identified server, and the television content identified server is responsible for converting audio signal into audio-frequency fingerprint then.And, should be understood that above-mentioned steps can implement in hardware, firmware, software or their combination in any.
For illustrative purposes, carried out foregoing description with reference to specific implementations.Yet, more than illustrative discussion do not mean that and talk out or limit the invention to disclosed precise forms.In view of above-mentioned instruction, it is possible carrying out many modifications and variation.Selected and the execution mode of describing are for principle of the present invention and its practical application are described best, thereby make the various execution modes that others skilled in the art can utilize the present invention best and have the modification of the various special purposes that are suitable for expecting.Execution mode is included in replacement in spirit and the scope of accompanying claims, revises and is equal to.Illustrating a plurality of details is for the complete understanding of the theme that this paper is proposed is provided.But those of ordinary skill in the art should understand, can not use these details to implement this theme.In other cases, do not describe known method, program, parts and circuit in detail, thereby avoid unnecessarily making the aspect of this execution mode fuzzy.