Ruishu's next-generation WAF-WAAP platform has three major engines that fully upgrade application security protection

In recent years, web applications have become the primary target of attackers. According to a Gartner survey, 75% of information security attacks occur at the web application layer rather than the network layer, and 2/3 of web sites are vulnerable to attacks.

As a mature security product category, WAF can provide various security rules for Web applications based on rules and features, and protect Web applications by continuously maintaining the rule base.

However, with the continuous upgrading of offensive and defensive levels, this traditional defense system is being broken.

Traditional WAF can be "bypassed"

Since traditional WAFs build security policies based on rules, it is possible to bypass WAFs by simply transforming the differences in protocol parsing, character parsing, file name parsing, encoding parsing, and SQL syntax parsing for Web servers and Web applications.

Traditional WAF cannot effectively identify and block new types of attacks

Currently, most WAFs on the market are based on rule matching, but the update of rules often lags behind the attack. For example, there are no pre-configured rules for 0-day vulnerability attacks, and protection rules can only be established based on vulnerability characteristics after the vulnerability is disclosed. For another example, multi-source low-frequency attacks using massive IP address pools make the frequency and IP limit rules invalid.

Traditional WAFs are not able to protect against logical vulnerabilities

Traditional WAFs identify attacks based on pre-set rule bases, and are powerless against seemingly "normal" business logic vulnerabilities. For example, unauthorized operations, where an intruder can log in to the system with a low-authorized account, intercept and modify user parameters, and view or modify other authorized accounts, but traditional WAFs cannot identify this seemingly normal operation.

It can be seen that traditional WAF technology has great limitations and is no longer suitable for the current complex network attack situation. Therefore, the innovation of WAF technology has become inevitable.

Ruishu's next-generation WAF - WAAP platform: three major engines comprehensively upgrade application security protection

Ruishu's next-generation WAF - WAAP platform provides comprehensive Bot protection, DDoS defense, API protection and other functions, and the core technology based on the three engines of "dynamic security engine" + "intelligent threat detection engine" + "rule engine" has been further upgraded to a more efficient and comprehensive application protection capability. While providing traditional Web security defense capabilities, it can also stop threats in advance at the vulnerability detection and site-scouting stages of attacks, and easily deal with emerging and rapidly changing Bots attacks, 0day attacks and application DDoS attacks, helping users build an active protection system covering applications such as Web, APP, cloud and API assets.

One of the three engines: Dynamic Security Engine

Based on Ruishu Information's original dynamic security technology, the built-in dynamic security engine will grant a dynamic token valid for a certain period of time to the legitimate request address in the current page, blocking illegal requests without a token; and by automatically and randomly inserting dynamic verification scripts into the page, it can achieve human-machine identification of the accessing client, thereby identifying automated attack behaviors of Bots such as scripts and programs, while ensuring the correct operation of the application logic.

The active protection technology using the dynamic security engine can effectively block detection attacks and 0-day detection of known Web vulnerabilities without regular upgrades, and prevent attacks before they occur. At the same time, it can effectively identify and intercept Bot automated threats that simulate operation behaviors without obvious malicious features, regardless of changes in Bot tool techniques.

The second of the three engines: Intelligent threat detection engine

The built-in intelligent threat detection engine has the industry-leading AI model detection technology, which does not require complex configuration and automatically protects against known and unknown threats. Specifically, the intelligent threat detection engine is based on AI machine learning algorithms, using millions of business samples and attack samples to build intelligent threat detection models. At the same time, when new data samples are available, new intelligent models can be quickly trained and applied to protection. In addition to the "dynamic security engine" that efficiently intercepts various Bots threats, it is more intelligent and targeted in identifying deep threat behaviors. From a technical point of view, it mainly includes four directions:

Business traffic self-learning technology – intelligent identification of business anomalies

It builds a normal business traffic model to automatically discover deviations in access behavior. It keeps the model updated through continuous learning to detect abnormal traffic. It also has the ability to learn complex character sets and can cope with various complex business scenarios, thereby providing sophisticated and intelligent business defense capabilities.

Semantic analysis technology - accurate analysis of malicious code

Lexical analysis, syntax parsing, and threat semantic scoring mechanisms are used to detect and defend against attack behaviors, with close to zero false positives for actual business. At the same time, it can also effectively protect against some attack codes that bypass rules through coding obfuscation, significantly improving the 0day detection rate and reducing the false positive rate and missed negative rate.

Behavior Analysis Technology - Multi-application Abnormal Access Monitoring

By fully recording all request logs from the client to the server, using machine learning to perform in-depth behavior analysis and intelligent rule matching, we continuously monitor and analyze Web, App, and API access behaviors, thereby deeply detecting attacks and abnormal access operations, and accurately tracking and tracing the source.

Webshell detection technology - targeted intelligent detection

Webshell detection based on AI, that is, through a large number of training samples, suitable algorithm models are built for different characteristic data, the intrinsic characteristics and connections of the data are automatically learned, and the parameters are adjusted through the experience of Ruishu experts to achieve the best results. AI detection can overcome the singleness and lag of traditional Webshell detection methods, have a certain recognition effect on new variants, and can also deal with Webshells that bypass static detection through encryption coding.

In the just-concluded "3rd China Artificial Intelligence Competition", the Ruishu Information AI team won the A-level championship in the network security direction of the competition with excellent results in Webshell detection and identification, including detection evaluation, false alarm evaluation, and effect testing. This shows the strong AI security technology strength of Ruishu Information.

The third of the three engines: rule engine

It has a built-in rich feature rule library that fully covers the OWASP TOP 10 attack scenarios, including injection attack protection, cross-site scripting attack protection, Webshell protection, file upload and download attack protection, cross-site request forgery protection, sensitive information filtering, etc. At the same time, the rule library supports offline upgrades and online automatic updates. As the most basic rule engine for Web application security protection, the rich feature library is the most comprehensive covering application threat types, and is a basic and efficient technology for dealing with manual attacks.

The three built-in engines complement each other in terms of capabilities, and the technologies in the engines play a role in access to multiple applications such as Web, App, and API according to their respective characteristics. Among them, the "dynamic engine" largely blocks the attacks of Bot automation tools, while the "AI intelligent threat detection engine" + "rule engine" is a good supplement for manual penetration attacks and the intelligence, pertinence, and sophistication of threat identification. At the same time, the three engines can also be used independently, and through the update and optimization of no rules and light rules, they can adapt to the business scenarios of different enterprise users.

Realize integrated application security defense and reduce security operation and maintenance costs

For enterprise users, Ruishu's next-generation WAF - WAAP platform can not only deal with known attack threats, but also has a variety of protection measures to deal with unknown threat attacks. It can prevent human-machine attacks and ensure the security of multiple types of applications with extremely low resource consumption, greatly reducing the company's security operation and maintenance costs.

At present, Ruishu's next-generation WAF - WAAP platform has been widely used in operators, finance, government, education, hospitals, and corporate customers, helping government and enterprise organizations to truly achieve security protection of websites/APPs/applets/APIs, effectively combat black industries, and reduce their security risks and economic losses.

At the same time, Ruishu Information has participated in many national-level network security security tasks such as attack and defense actual combat drills, China International Import Expo security, and security for the 70th anniversary of the founding of the People's Republic of China. In the attack and defense actual combat drills in the past two years, it has participated in the defense work of more than 30 important national departments and large banks. Its next-generation WAF product has achieved good results in actual combat drills, and is therefore praised by users as a "security artifact."