面向Web网站安全检测的WAF规则发现技术

发布时间：2018-05-04 00:37

本文选题：WAF + 自动探测　；参考：《哈尔滨工业大学》2017年硕士论文

【摘要】：目前WAF(Web Application Firewall,网站应用防火墙)设备应用得越来越广泛,它能够较好地阻止Web应用层面的攻击,并满足我国信息系统安全等级保护第三级别的要求。不过对于三级等保单位,需要对WAF设备进行安全能力评测,若人工对目标系统的WAF设备规则进行探测需要耗费大量的人力,因此本文提出了一种WAF规则自动检测的技术,设计并实现了一个WAF规则自动探测系统,可以自动探测生效的WAF规则,提升信息系统安全等级保护能力的测评效率。本文的WAF规则自动探测所用的关键技术包括响应相似度的计算、MEF算法、基于二分法的生效字符组合探测、字符检测树以及攻击载荷规则库的设计。响应相似度的计算对于两个响应要进行多维度的比较,包括是否停止响应、响应码是否相同以及响应内容的字符串相似度是多少。比较响应相似度的目的是分离WAF响应和正常响应。MEF算法中文名称为最小元素优先法,解决的问题是找出多个关键字组成的字符串的检测结果为真时,其中所有可使检测结果为真的关键字组合,基本思想是小组合数的关键字组合要优先进行检测。基于二分法的生效字符组合探测解决的问题是找出字符串检测结果为真时,字符串中唯一的使检测结果为真的字符组合。基本思想是不断二分查找字符串中最右的有效字符。字符检测树的功能是对正则表达式的通配符进行探测,能够完美辨识7种通配符。攻击载荷规则库的设计是本文的核心技术,该库设计的完整程度将直接影响WAF规则的探测结果。目前攻击载荷规则库包括SQL注入、XSS、LFI(本地文件包含)、PHP木马四种攻击类型。本文使用这些关键技术设计并实现了WAF规则自动探测与发现系统,系统根据不同功能划分为三大模块:网站过滤检测模块、攻击向量生成模块、过滤规则生成模块。网站过滤检测模块的功能是提取网站WAF响应特征供后续模块使用;攻击向量生成模块的功能是发送不同类型的攻击载荷对网站进行探测,得到不同攻击载荷的响应结果并归类;过滤规则生成模块的功能是利用攻击向量生成模块得到的恶意字符串列表,针对每个字符串进行变形探测,从而获得WAF规则正则表达式。最后使用本系统对十家网站进行了WAF规则的探测,大部分得到了比较好的探测结果。
[Abstract]:At present, WAF(Web Application Firewall (website Application Firewall) equipment is more and more widely used, it can better prevent the attack of Web application level, and meet the requirement of the third level of information system security level protection in our country. However, it is necessary to evaluate the security capability of the WAF equipment for the third level iso-guarantee unit. If it takes a lot of manpower to detect the WAF equipment rules of the target system manually, this paper proposes a technique of automatic detection of the WAF rules. An automatic detection system for WAF rules is designed and implemented, which can automatically detect the effective WAF rules and improve the efficiency of evaluating the ability of information system security grade protection. The key techniques used in automatic detection of WAF rules in this paper include the computation of similarity, the effective character combination detection based on dichotomy, the character detection tree and the design of attack load rule base. The calculation of response similarity requires a multi-dimensional comparison between the two responses, including whether the response stops, whether the response code is the same and what the string similarity of the response content is. The purpose of comparing the response similarity is to separate the WAF response from the normal response. The Chinese name of the algorithm is minimum element first method. The problem is to find out when the detection result of the string composed of multiple keywords is true. All of them can make the result of detection true keyword combination, the basic idea is that the key combination of group number should be detected first. The problem of effective character combination detection based on dichotomy is to find out that when the result of string detection is true, the only character combination in the string is true. The basic idea is to constantly binary search string in the right-most valid character. The function of character detection tree is to detect wildcard characters of regular expressions. The design of attack load rule library is the core technology in this paper. The integrity of the library design will directly affect the detection results of WAF rules. At present, the attack payload rule library includes SQL injection XSS-LFI (the local file contains four attack types of SQL Trojan horse. This paper designs and implements the automatic detection and discovery system of WAF rules using these key technologies. According to different functions, the system is divided into three modules: website filter detection module, attack vector generation module, filter rule generation module. The function of the website filter detection module is to extract the WAF response features of the website for use by the subsequent modules, the function of the attack vector generation module is to send different attack loads to detect the site, and the response results of the different attack loads are obtained and classified. The function of the filter rule generation module is to generate the list of malicious strings by using the attack vector to detect the deformation of each string and obtain the regular expression of the WAF rule. Finally, the system is used to detect the WAF rules of ten websites, and most of the results are good.
【学位授予单位】：哈尔滨工业大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.092

【参考文献】