| With the rapid development of Web applications,security issues have gradually surfaced,and security engineers have developed various types of security products,such as Firewalls,Intrusion Detection System,Intrusion Prevention System,etc.,to prevent hacker intrusion.As the number of cyber attacks on the application layer has increased dramatically,the protection of Web applications is imminent,and the Web Application Firewall(WAF)was born.WAF is mainly used in the application layer.Users can configure various security policies in the WAF according to their own network environment to protect Web applications.With the continuous enrichment of Web application functions,WAF also need to improve detection capabilities according to different application scenarios.the detection performance of WAF was studied in accordance with the application requirements of gzip files.The main research contents include:(1)An attack detection engine based on regular matching and algorithm analysis was designed and implemented.The detection engine analyzed proxy traffic,forwarded normal traffic,and blocked malicious traffic.By analyzing characteristics of the attack and optimizing rules,it could reduce false blocking on the premise of accurately detecting Web attacks.(2)Aiming at the problem that the traditional WAF was to detect the traffic between the client and the server based on the plaintext attack feature,a model of WAF unidirectional detection of gzip compressed files was proposed on the basis of the above detection engine.(3)By building a test environment,the WAF attack detection engine and WAF unidirectional detection of gzip compressed file models proposed in this thesis were tested and verified.The engine of WAF designed in this thesis first.The detection engine used an algorithmic strategy such as HTTP protocol compliance,black-and-white list to filter the proxy traffic,so as to improve the ability of WAF to process normal traffic,and then used rule-based strategies to match attack characteristics,so as to achieve the purpose of protecting web applications.Secondly,on the basis of the detection engine,the scene of detecting gzip compressed file was realized.After the plaintext data was detected by rule-based strategy,gzip compression was added once,and then the client browser could know that the transmitted traffic volume was gzip compressed data by adding a response header.because the length of compression was unpredictable by WAF gzip,the compressed content was returned to the client by block transmission,and the client performs decompression and rendering.Finally,verify the correctness and feasibility of the design of this article by setting up a test environment.Experimental results showed that WAF could effectively filter abnormal traffic without attack features.After optimizing the WAF rule base,although the false negative rate had increased,the false positive rate had dropped from 35% to 6%.And after testing the gzip module,it could prove that the system had the ability to detect gzip compressed files. |
PDF Full Text Request