1. Technical Field
The present invention relates generally to a security management apparatus and method for a web server/web application server and, more particularly, to an apparatus and method that prevent continuous attacks on a web server/web application server.
2. Description of the Related Art
In the past, a web server/web application server was protected in such a way as to analyze the content of traffic that is transmitted to the web server/web application server, determine whether an attack pattern is present, and block the corresponding traffic or the Internet Protocol (IP) address of the system that transmitted the attack traffic.
However, since an attacker makes an attack by disguising an IP address so as to conceal his or her location, an additional attack can be made by easily changing an IP address using The Onion Router (TOR), a proxy server, or the like even if the IP address is blocked. Consequently, an attacker collects detection patterns while repeatedly blocking and changing IP addresses, and then eventually makes an attack bypassing the detection patterns, thus possibly occupying the web server/web application server.
That is, when an attacker secures a sufficient IP band needed to make an attack, a scheme for blocking attack traffic as in the case of the conventional art merely causes the attacker to undergo a slight inconvenience and time consumption required to change an IP address, and has limitations in dealing with a high level of difficulty of an attack or in blocking additional attacks. In other words, in the past, an attack was defended using a method of checking the content of traffic that is transmitted or received to or from the web server/web application server, detecting attack patterns and then blocking the corresponding IP address. However, when an attacker makes an attack by changing an IP address, the attacker whose IP address has been changed cannot be additionally blocked, and thus there is a limitation in blocking attacks that intelligently change IP addresses.
As related preceding technology, U.S. Patent Application Publication No. 2012-0124661 (entitled “Method for detecting a web application attack”) discloses web application attack detection technology for separating only payloads from the packets of received Hypertext Transfer Protocol (HTTP) traffic, recombining the HTTP traffic, analyzing the content of the recombined HTTP traffic using a parser, and determining whether content related to an attack is included in the HTTP traffic.