Application protection - Security Center - Alibaba Cloud Documentation Center

The application protection feature is developed based on the runtime application self-protection (RASP) technology. This feature can detect attacks and provide protection during application runtime. You do not need to change code to use the application protection feature. You need to only install the RASP agent on the servers or containers on which your applications run. The feature can protect your applications against attacks that are launched by exploiting most unknown vulnerabilities. This topic describes how to use the application protection feature.

How application protection works

The application protection feature adopts the RASP technology. The feature uses hooks to monitor the interactions between applications and other systems in real time. When suspicious behavior is detected in an application, the feature identifies and blocks attacks based on the context. This helps protect against application vulnerabilities, zero-day vulnerabilities, and in-memory webshells that are detected in the web processes on your servers. The feature is available only for Java applications.

Compatibility of the RASP agent

The application protection feature protects only processes that meet the following conditions. You can install the RASP agent only on these processes.

JDK: The Java Development Kit (JDK) version is 6 or later.
Middleware: The agent does not have specific requirements for the type and version of middleware. The following types of middleware are supported: Tomcat, Spring Boot, JBoss, WildFly, Jetty, Resin, Oracle WebLogic Server, WebSphere Application Server, Liberty, Netty, GlassFish, and middleware developed by Chinese vendors.
Operating system: Linux, Windows, or macOS operating systems are used.

Access methods

The application protection feature supports the automatic access and manual access methods. The following table describes the methods.

Access method	Description	Scenario
Automatic access for servers and containers	You do not need to manually add applications to application protection or restart the applications.	You can use this method for 64-bit servers that are not added to an existing application group. Note If the processes that run on your server are automatically added to an application group and you want to migrate the processes to a different application group, you can remove the processes and then enable automatic access for your server.
Manual access for servers	You must manually add applications to application protection and restart the applications.	If specific processes on your server are automatically added to an application group and you want to add other processes that are not protected on the server to a different application group, you can use the manual access method. If your processes use the JIRA, Confluence, WebLogic, or WebSphere framework, you must use the manual access method. If you want to add a server to multiple application groups, you must use the manual access method.
Manual access for containers

Attack types

The following table describes the types of attacks that the application protection feature can detect and the solutions to defend against each type of attack.

Attack type	Description	Solution
JNI injection	Java Native Interface (JNI) injection is a common method to bypass the RASP technology. After an attacker obtains the permissions to execute code, the attacker can use JNI functions to call external malicious dynamic-link libraries. This way, the attacker can bypass the security protection at the Java layer and conceal specific malicious behavior.	Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
SQL injection	An SQL injection attack inserts SQL statements into the query strings of web requests or web forms and induces the server to execute the SQL statements. An attacker can obtain the data on websites on which security vulnerabilities exist by inserting SQL statements into web forms.	SQL injection is caused by concatenating SQL statements. Precompile input parameters or use whitelists and blacklists to limit concatenated parameters.
XXE	XXE injection is short for XML external entity injection. If an XML file references an external entity, an attacker can construct malicious content to cause arbitrary file reads, command execution, and internal network attacks.	Check whether your application needs to load external entities when it parses XML files. If not, disable external entities in the XML parsing configurations.
Malicious DNS query	An attacker can use multiple methods to exploit malicious Domain Name System (DNS) queries. An attacker is likely to use the DNS protocol to bring sensitive information out of internal networks. The attacker may also use the DNS protocol to check whether an internal network system has vulnerabilities such as Server-Side Request Forgery (SSRF) and Java Naming and Directory Interface (JNDI) injection.	Malicious DNS queries are caused by server requests for user-controlled parameters. Check parameter settings and configure whitelists.
Malicious reflection call	The self-protection module of RASP prohibits attackers from using reflection to modify RASP data during runtime.	Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
SSRF	SSRF is a web vulnerability that allows an attacker to attack the internal system of a website by inducing a server-side application to make HTTP requests.	SSRF is caused by server requests for input parameters. Check parameter settings and configure whitelists.
Malicious file read and write	Java provides the RandomAccessFile class for file read and write operations. If you use this class to read and write files but you do not restrict the file path or file content, an attacker may read sensitive system files or upload trojan files.	Check whether file read or write operations are normal. If an exception occurs, check the function code and configure blacklists.
Malicious file upload	For the file upload feature provided by a website, if the types of files are not restricted, an attacker may obtain higher permissions on the server by uploading trojan files. This causes serious harm.	Restrict the types of files that can be uploaded and prohibit uploading files with execute permissions, such as Jakarta Server Pages (JSP) files.
Command execution	A command execution vulnerability allows an attacker to execute arbitrary system commands on a server.	In most cases, remote command execution is caused by webshells or the risky code of a server. Check the location where commands are executed. If command execution is caused by webshells, delete the webshells at the earliest opportunity. If commands are executed to implement normal features on a server, configure whitelists to limit the commands that can be executed.
Directory traversal	The directories of a website may be browsed arbitrarily due to the configuration defects of the website. This results in the disclosure of privacy information. An attacker can use the disclosed information to attack the website.	Check whether directory traversal operations are normal. If an exception occurs, check the function code and configure blacklists to restrict related commands, such as "./" and "../".
In-memory webshell injection	In-memory webshells are an emerging trojan horse technique. An attacker can inject trojans into memory by using technical approaches that help effectively bypass the detection of Web Application Firewall (WAF) and host defense.	Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Arbitrary file read	For the file download and read feature provided by a website, if files are read and downloaded by using an absolute path or a directory traversal character and file paths are not restricted, an attacker can exploit this vulnerability to obtain sensitive information and attack the server.	Check whether file read operations are normal. If an exception occurs, check the function code and configure blacklists to restrict the input parameters, such as "./" and "../".
Thread injection	Thread injection is a common method to bypass the RASP technology. If an attacker obtains the permissions to execute code, the attacker can create a thread to cause RASP to lose the context of the runtime environment. In this case, the defense capability of RASP is compromised.	Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
Malicious Attach API	The Attach API is a Java technology that can be used to dynamically modify the bytecode of running applications. An attacker can use the technology to inject agent-type in-memory webshells. This method is highly deceptive.	Your server may have a code execution vulnerability. Check the location of the vulnerability and limit the permissions to execute code.
JNDI injection	If an application initiates a JNDI query but the query URL is controlled by an attacker, the attacker can induce the server on which the application runs to query malicious links and load malicious classes. This results in arbitrary code execution on the server.	If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity. If this vulnerability is caused by self-written code for JNDI queries, you must restrict the query URLs to prohibit queries over vulnerable protocols.
Usage of vulnerable protocols	If the URL that a server accesses is user-controllable and the URL protocol is not restricted on your application, an attacker can read sensitive files on the server over vulnerable protocols such as File and NetDoc.	Restrict URL protocols.
Deserialization attack	Java deserialization is a process of restoring a sequence of bytes into a Java object. If the Java object contains code that can cause high risks, an attacker can control the member variables of the Java object to initiate attacks during the deserialization process.	Upgrade the components on which vulnerabilities are detected at the earliest opportunity. If no official component versions in which the vulnerabilities are fixed are released, temporarily disable deserialization.
Arbitrary file deletion	For the file deletion feature provided by a website, if files are read and downloaded by using an absolute path or a directory traversal character and file paths are not restricted, an attacker can exploit this vulnerability to obtain sensitive information and attack the server.	Check whether file delete operations are normal. If an exception occurs, check the function code and configure blacklists to restrict the input parameters, such as "./" and "../".
Expression language (EL) injection	Expressions provide a wide range of features, such as data query and processing during runtime. Multiple expressions also provide features that require advanced permissions such as function calls. If the features are not restricted, attackers can modify the content of expressions and execute arbitrary code.	Strictly restrict the content of expressions and disable Java function calls. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
Engine injection	Java provides various third-party JavaScript engines (such as Rhino and Nashorn) and template engines (such as Apache Velocity and FreeMarker). In most cases, these engines provide features that require advanced permissions such as function calls. If the features are not restricted, attackers can modify the content executed by the engines and execute arbitrary code.	Strictly restrict the content imported to the engines and disable Java function calls. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
Malicious beans binding	Some Java frameworks support bean property binding when applications are running. If the types of bean properties that can be bound are not restricted, attackers can modify the values of sensitive bean properties to disrupt the running of applications or even execute arbitrary code.	Restrict the types of bean properties that can be bound to prevent the values of bean properties such as class and class loaders from being changed. If this vulnerability is caused by third-party components, you must upgrade the components at the earliest opportunity.
Malicious class loading	Zero-day vulnerabilities and webshells depend on the loading of malicious classes. After malicious classes are loaded, attackers can initialize malicious classes, obtain the permissions to execute code, and perform malicious operations.	If malicious classes are loaded by using webshells, delete the webshells at the earliest opportunity. If malicious classes are loaded due to framework vulnerabilities, upgrade the frameworks at the earliest opportunity.
JSTL file inclusion	The JavaServer Pages Standard Tag Library (JSTL) is a set of JavaServer Pages (JSP) tags, which encapsulates the common core features of JSP applications. If a user-controllable parameter is directly concatenated in JSTL without any restrictions on the parameter, attackers can construct a special script that causes arbitrary file reads and SSRF attacks.	We recommend that you do not directly concatenate user-controllable parameters in JSTL. If you need to do this, you must exercise strict whitelist control on the content of the parameters.

Weakness types

Weakness type	Risk level	Description	Fixing suggestion
Vulnerable Fastjson configurations	High	The deserialization feature is enabled for the Fastjson library of an application. This feature may be exploited by attackers to cause remote command execution. We recommend that you disable the feature unless otherwise required.	Set safeMode of Fastjson to true or autoType to false.
Vulnerable Log4j configurations	High	The lookup feature is enabled for your Log4j component. This feature may be exploited by attackers to initiate JNDI injections and cause remote code execution.	Update Log4j to the latest version or remove the org/apache/logging/log4j/core/lookup/JndiLookup.class file from the JAR package.
Vulnerable startup parameters	High	If attackers can access the Java Debug Wire Protocol (JDWP) debugging port, the attackers can execute arbitrary code and cause remote code execution.	If the JDWP port is no longer required, disable the JDWP port at the earliest opportunity. Do not expose the JDWP port on the Internet. Monitor the JDWP port for applications that run for a long period of time. If the JDWP port is enabled, disable the port.
Weak keys in Shiro	High	If Shiro applications use weak keys for encryption, attackers can initiate deserialization attacks by cracking the keys and cause remote code execution.	Change the encryption keys in Shiro applications at the earliest opportunity.
Vulnerable JMX configurations	Moderate	If remote JMX connection is enabled and authentication risks exist, attackers can remotely connect to the JMX service of an application and cause command execution.	Disable remote JMX connection, or use a secure password for authentication.
Vulnerable Rhino configurations	Moderate	Rhino contains insure properties that attackers can exploit to achieve remote code execution.	Update Rhnio to the latest version. Use SafeStandardObjects to define the context of Rhnio and prevent the JavaScript engine from calling Java code. The following sample code provides an example on how to use SafeStandardObjects to define the context of Rhino: Context ctx = Context.enter(); // Scriptable scope = ctx.initStandardObjects(); // Vulnerable configurations Scriptable scope = ctx.initSafeStandardObjects(); // Secure configurations ctx.setOptimizationLevel(-1); String str = "var test={};"; str += "test.call=function(){return 'Successful!';};"; str += "java.lang.System.out.println(test.call())"; try { // Specify and execute JavaScript code. ctx.evaluateString(scope, str, "", 1, null); } catch (Exception e) { e.printStackTrace(); } finally { Context.exit(); }
Vulnerable Spring configurations	Moderate	Several endpoints are enabled in the Spring Boot Actuator module, such as heapDump, env, restart, refresh, trace, jolokia, and h2-console. This may cause sensitive information leaks or remote code execution.	Disable the endpoints unless otherwise required.
Vulnerable logon password	Moderate	The password of the account that is used to log on to your application is weak. Attackers can crack the password to log on to your system and obtain sensitive information and server permissions.	Change the password to a complex password at the earliest opportunity.
Vulnerable JNDI configurations	Low	Your application uses vulnerable configurations related to useCodebaseOnly, rmi-trustURLCodebase, and ldap-trustURLCodebase, which may cause JNDI injections.	Update the JDK to the latest version. If you cannot update the JDK, add the following startup parameters when you start the application: `-Djava.rmi.server.useCodebaseOnly=true -Dcom.sun.jndi.rmi.object.trustURLCodebase=false -Dcom.sun.jndi.ldap.object.trustURLCodebase=false`
Insure XML entity configurations	Low	XML parsing is enabled for external entities, which can cause XXE attacks on applications.	Do not use external entities unless otherwise required.
Weak database password	Low	If the password of the account that is used by an application to connect to a database is weak, attackers can exploit the password to access the database and obtain sensitive information or achieve remote code execution.	Change the password to a complex password at the earliest opportunity.

Prerequisites

A sufficient quota for application protection is purchased. For more information, see Purchase Security Center.
The Security Center agent on your server is online.
To check whether the Security Center agent on your server is online, perform the following operations: Go to the Assets > Host page. Click the Server tab. Find your server and view the icons in the Agent column. The icon indicates that the Security Center agent is online. If the Security Center agent is offline, you can troubleshoot the issue. For more information, see Troubleshoot why the Security Center agent is offline.
The AliyunYundunWAFFullAccess and AliyunYundunSASFullAccess policies are attached to the Resource Access Management (RAM) user that is used. For more information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

Step 1: Add applications for protection

Before you can use the application protection feature, you must create an application group and add the processes that you want to protect to the application group.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
On the page that appears, click the Application Configurations tab. Then, click Create Application Group.
In the Create Application Group step of the panel that appears, enter a name and description for the application group that you want to create. Then, click Next.
We recommend that you enter a name based on the processes that you want to protect. The name must be unique. After you complete this step, an application group is created.

In the Automatic/Manual Access step, add processes to the application protection feature by using the automatic or manual access method.

(Recommended) Automatic access for servers and containers

The automatic access method integrates the application protection capabilities into processes by using JVM Attach when the processes are running. If you use this method, the system dynamically loads and unloads the application protection capabilities when processes are running. This ensures business continuity without the need to restart the processes.

If you use this method and the resource usage of a server, container, or JVM heap exceeds a specific threshold, the system does not install the RASP agent until the resource usage falls below the threshold. This helps ensure that the application protection feature runs as expected. The following list describes the related thresholds:

The CPU utilization of a server or a container exceeds 98%, or the remaining memory space of a server or a container is less than 200 MB. In these scenarios, the system does not install the RASP agent.
The remaining JVM heap memory space is less than 150 MB, or the metadata space is less than 5 MB. In these scenarios, the system does not install the RASP agent.

Important

The first time you add processes to the application protection feature, we recommend that you perform the operation during off-peak hours.

If you use the automatic access method, you can select only 64-bit servers that are not automatically added to an existing application group.
A server can be automatically added to only one application group.
You can enable automatic access for servers that are added by using the manual access method. If you uninstall the RASP agent from the servers, the servers are automatically added to the application protection feature.

Click Select Asset for Application Protection. In the Select Asset dialog box, select the assets that you want to add and click OK.
After you select a server, the application protection feature automatically identifies and adds the Java processes on the server or on a container hosted on the server. You do not need to restart the processes. You can select up to 100 servers at a time.
Note
After you select a server, the OK button changes to Synchronizing, which indicates that Security Center is loading the server to the list of selected servers.
Perform the following operations based on the number of servers that you want to add:
- If you want to add only one server, turn on the switch in the Application Protection column of the server. After the RASP agent is installed, click Next.
- If you want to add multiple servers, select the servers, click Batch Enable Protection, and then click Next.
  You can select up to 100 servers at a time.

After you turn on the switch in the Application Protection column for a server or you select multiple servers and click Batch Enable Protection, Security Center automatically identifies and adds the Java processes on the selected servers to the application protection feature. During this process, Installing is displayed in the Application Protection column. This process may require approximately 10 minutes to complete. The period of time varies based on your network environment. If multiple Java processes are running on a server, Security Center adds the processes at a time. After the Java processes are added, the switch in the Application Protection column is turned on. You can view the protection status of the application instances in the Protection Status column. A Java process in an application group is considered an application instance. The following list describes the valid values of the Protection Status column:

Not Added: The application protection feature is disabled for the server.
Failed: All processes on the server failed to be added to the application protection feature.
Partial Added: Several processes on the server are added to the application protection feature, but other processes on the server failed to be added to the application protection feature.
All Added: All processes on the server are added to the application protection feature.
Note
If no processes on the server can be added to the application protection feature or the processes on the server are not supported by the application protection feature, the list in the Access Details panel is empty, and All Added is displayed in the Protection Status column. Subsequently, if a process that can be added to the application protection feature runs on the server, the process is automatically added.

You can click Details in the Actions column to view the status of the added Java processes.

Manual access for servers

Click the Manual Access tab. Follow the instructions on the Host Access Guide tab to install the RASP agent and then restart your applications. Then, click Next.

Before you restart your applications, you must complete related deployment based on the runtime environment of the applications. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {appId} with the application ID that is displayed on the Host Access Guide tab when you configure the parameters. The following figure shows the position of an application ID. 应用ID位置

Runtime environment	Parameter setting
Tomcat on Linux	Add the following configurations to the {Tomcat installation directory}/bin/setenv.sh file: `export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` If the <Tomcat installation directory>/bin/ directory does not contain the setenv.sh configuration file, create the file in the <Tomcat installation directory>/bin/ directory.
Tomcat on Windows	Add the following configurations to the <Tomcat installation directory>\bin\setenv.bat file: `set CATALINA_OPTS=%CATALINA_OPTS% "-javaagent:C:\Program Files (x86)\Alibaba\Aegis\rasp\apps\{appId}\rasp.jar"` If the <Tomcat installation directory>\bin\ directory does not contain the setenv.bat configuration file, create the file in the <Tomcat installation directory>\bin\ directory.
Jetty	Add the following configurations to the {JETTY_HOME}/start.ini configuration file: `--exec -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Spring Boot	Add the -javaagent parameter to the startup command for the Spring Boot process: `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar` For example, the following command is the original startup command of the Spring Boot process: `java -jar app.jar` Before you start the Spring Boot process to install the RASP agent, you must change the startup command to the following command: `java -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar -jar app.jar`
JBoss or WildFly	Standalone Mode Open the <JBoss installation directory>/bin/standalone.sh file and add the following content below # Display our environment: `JAVA_OPTS="${JAVA_OPTS} -javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"` Domain Mode Open the <JBoss installation directory>/domain/configuration/domain.xml file and find the <server-groups> tag. Then, find the <jvm> tag in the <server-group> tag based on which you want to install the RASP agent and add the following content: `<jvm-options> <option value="-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar"/> </jvm-options>`
Liberty	Go to the <Liberty installation directory>/${server.config.dir} directory. The default directory is /opt/ibm/wlp/usr/servers/defaultServer/jvm.options. When you create or modify the jvm.options file, add the following content to the file: `-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar`
Resin	Resin3 Open the <Resin installation directory>/conf/resin.conf file. Find the <jvm-arg> tag in the <server-default> tag and add the following content: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>` Resin4 Open the <Resin installation directory>/conf/cluster-default.xml file. Find the <jvm-arg-line> tag in the <server-default> tag and add the following content: `<jvm-arg>-javaagent:/usr/local/aegis/rasp/apps/{appId}/rasp.jar</jvm-arg>`

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

If you no longer want the application protection feature to protect the processes on your server or container, you can uninstall the RASP agent. To uninstall the RASP agent, follow the instructions that are described on the RASP Agent Uninstallation tab.

Manual access for containers

Click the Manual Access tab. Follow the instructions on the Add Container tab to install the RASP agent and then restart your container. Then, click Next.

Before you restart your container, you must complete related deployment based on the runtime environment of the container. The following table describes the parameter settings for deployment in different runtime environments. If your middleware is not included in the following table, you must replace {manager.key} with the value of Dmanager.key that is displayed on the Add Container tab when you configure the parameters.

Runtime environment	Parameter setting
SpringBoot	To install the RASP agent when an image is being packaged, modify the startup parameters in the Dockerfile and change the startup command for your applications. Startup command before the change: `CMD ["java","-jar","/app.jar"]` Startup command after the change: `CMD ["java","-javaagent:/rasp/rasp.jar","-Dmanager.key={manager.key}","-jar","/app.jar"]`
Tomcat	To install the RASP agent when an image is being packaged, add the following configurations to the Dockerfile: `ENV JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` To install the RASP agent when the container is being started, add the following parameter to the startup command: `docker --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}"` For example, the original startup command of a container is `docker -itd --name=test -P image name`. Before you start the container to install the RASP agent, you must change the startup command to `docker -itd --env JAVA_OPTS="-javaagent:/rasp/rasp.jar -Dmanager.key={manager.key}" --name=test -P image name`.
Weblogic

You can also click Push RASP Agent on the Push Record tab to push the RASP agent to the server or container on which your applications run and install the agent on the server or container.

In the Configure Protection Mode After No False Alerts Generated step, configure a protection policy and click OK.

Important

The default protection mode is Monitor. We recommend that you use the Monitor mode for two to five days. If no false positives are reported during this period of time, you can change the protection mode to Block. If a false positive is reported, you can configure a whitelist rule to block the detection type for which the false positive is reported. For more information, see Configure a whitelist.

Parameter	Description
Application Group Name	The name of the application group. You cannot change the name in this step.
Protection Mode	The protection mode of the application group. Valid values: Monitor: monitors your applications to detect attacks. The running of the applications in the application group is not affected. If an attack is detected, an alert is generated. For this alert, Handling Method is Monitoring. Block: monitors your applications to detect attacks and blocks detected attacks, and monitors high-risk operations on application instances. If an attack is blocked, an alert is generated. For this alert, Handling Method is Blocking. Disable: disables the application protection feature for the application instances in the application group. No attacks are detected or blocked.
Detection timeout	The maximum timeout period for attack detection. Valid values: 1 to 60000. Unit: milliseconds. Default value: 300. After the specified period elapses, the original business logic continues regardless of whether the detection logic is incomplete. We recommend that you use the default value.
SOURCE IP judgment method	The method to obtain source IP addresses. If you select Default, the system obtains source IP addresses based on the values of standard request headers that record source IP addresses. The standard request headers include X-Real-IP, True-Client-IP, and X-Forwarded-For. If you select Taken from the value that defines the header, the system preferentially obtains source IP addresses based on the values of custom headers. If the system cannot obtain source IP addresses based on the values of custom headers, the value Default takes effect.
Detection type	The types of attacks to detect. We recommend that you retain the default settings. To retain the default settings, select Select All. For more information, see Attack types.

Step 2: View application analysis data

After you add an application process to the application protection feature, you can view application statistics, such as statistics on application behavior, application access, and attack alerts, on the Application Analysis tab.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.

On the Application Analysis tab, view application statistics, such as statistics on application behavior, application access, and attack alerts.

Section	Description
Application Behavior Analysis (marked 1 in the preceding figure)	Displays statistics on application behavior in the previous seven days. The application behavior is not performed by tools. Total Requests: the total number of application requests that are monitored by the application protection feature after your application processes are added to the application protection feature. Total Blocks: the total number of attacks that are blocked by the application protection feature. Total Monitored Attacks: the total number of attacks that are monitored by the application protection feature.
Application Access Statistics (marked 2 in the preceding figure)	Displays application access-related statistics. Application Group: the total number of application groups that are created within the current Alibaba Cloud account. Access instance: the number of application processes that are added to the application protection feature. Online Instances: the number of application processes that are added to the application protection feature and are protected by the application protection feature as expected. The application processes are considered authorized instances. When the application protection feature protects an application process, the quota for application protection is deducted by 1. Remaining Quota: the remaining quota for application protection.
Weakness detection data (marked 3 in the preceding figure)	Displays the total number of weaknesses that are detected by the weakness detection feature, the numbers of weaknesses at different risk levels, the trend of weakness detection, and the distribution of weaknesses by type. You can click the Weakness Detection tab to view more details about the detected weaknesses.
Latest Attack Alert (marked 4 in the preceding figure)	Displays attack alerts that are generated in the previous seven days. If you want to view more attack alerts, you can click Details to go to the Attack Alerts tab. This tab displays all attack alerts.
Top 10 Attacked Servers and Top 10 Attack IP Addresses (marked 5 in the preceding figure)	Displays the top 10 servers that are most attacked and the top 10 source IP addresses from which the most attacks are launched in the previous seven days.
Attack Type Distribution (marked 6 in the preceding figure)	Displays the top 5 attack types that are detected in the previous seven days and the distribution of the attack types. If you want to view the number and proportion for each type of attack, you can click Details.
Attack Prevention Trend (marked 7 in the preceding figure)	Displays the number of requests that are monitored or blocked and the distribution of the requests by risk level in the previous seven days. The risk level can be high, medium, or low.

Step 3: View alerts

After you add application processes to the application protection feature, you can perform the following steps to view all alerts that are detected:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
Click the Attack Alerts tab and view information about alerts.
On the Attack Alerts tab, you can view the statistics on application behavior and the attack statistics of your applications in charts. You can also view the details about each attack in the lower part of the tab. The details include the type, URL, behavior data, and handling method of an attack.
- View statistics of application behavior
  The Applied behavior statistics section displays the application behavior that is monitored by the application protection feature and the behavior types. Both normal behavior and attack behavior are monitored.
- View attack statistics
  The Attack statistics section displays the numbers of attacks that are detected by the application protection feature and the types of the attacks.
- View attack details
  The list in the lower part of the Attack Alerts tab displays the details about each attack. In the list, you can view the time, type, behavior data, application directory, URL, and handling method of each attack. To view the behavior details about an attack, find the attack and click View in the Operation column. In the Details panel, you can view the behavior details, including vulnerability details, request details, and server details.

Step 4: View the weaknesses of applications

The weakness detection feature can detect vulnerable configurations during application runtime, including inappropriate configurations of mainstream Java frameworks and weak passwords configured for applications and databases. You can use the feature to identify weaknesses that can be exploited by attackers. Security Center supports detection on weaknesses but does not support quick fixing for weaknesses. We recommend that you manually modify the configurations of a weakness based on the fixing suggestion provided in the details panel of the weakness. For more information about the types of weaknesses that can be detected by Security Center, see Weakness types.

If your processes are added to the application protection feature and the version of the RASP agent that is installed on the processes is 0.5.0 or later, the weakness detection feature is supported. You can perform the following operations to view the version of the RASP agent that is installed on the processes: Go to the Application Configurations tab. Find the application group to which the processes belong and click the number in the Access instance column to go to the Instance details panel. If the version of the RASP agent is earlier than 0.5.0, you can restart the application. Then, the RASP agent is automatically updated.

You can perform the following steps to view the weaknesses of applications.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
On the Weakness Detection tab, view the data displayed in the following sections: Vulnerability Overview, Vulnerability Detection Trend, Vulnerability Distribution by Type, and Distribution of Vulnerability Detection Events by Quantity.
In the lower part of the Weakness Detection tab, view the applications on which weaknesses are detected.
- Application Startup ID: Each ID is unique in a startup cycle of an application and can be used to distinguish between weaknesses that are detected during multiple startup processes of the application.
- Status: You can view the handling status of weaknesses that are detected during the startup of an application. If a weakness detected on the application is not confirmed, the status is To Be Confirmed. If all weaknesses are handled, the status is Confirmed.
Click the icon to the left of an application startup ID to view the detected weaknesses. Find the required weakness in the weakness list and click Details in the Actions column to view the details about the weakness.
You can view the cause of a weakness and determine whether to fix the weakness based on the weakness description, fixing suggestion, and weakness location.
Return to the weakness list after you confirm whether to fix the weakness. Find the required weakness and click Modify Risk Status in the Actions column. In the Modify Risk Status dialog box, configure the Risk Status and Remarks parameters and click OK.
The following risk states are supported:
- To Be Confirmed: If you cannot confirm how to handle the weakness, select this state.
- Confirmed: If you have confirmed how to handle the weakness, select this state.
- False Positive: If the weakness does not exist or the information about the weakness is incorrect, select this state.
- Ignore: If you want to ignore the weakness, select this state.

More features

Configure a whitelist

You can configure a whitelist to allow requests from specific IP addresses. If requests match a whitelist rule that you specify, Security Center does not block or generate alerts on the requests.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Application Protection.
Click the Protection Whitelist tab. Then, click Configure Whitelist.

In the Configure Whitelist panel, configure the parameters. The following table describes the parameters.

Parameter	Description
Rule Name	Enter a name for the rule.
Attack Source IP Addresses	Enter the attack source IP addresses that you want to add to the whitelist. You can enter up to 100 IP addresses or CIDR blocks. Important If you enter 0.0.0.0/0, Security Center allows requests from all IP addresses. Proceed with caution.
Request Path	Specify the path that is used to match requests from the IP addresses in the whitelist. You can select one of the following matching methods for the path: Prefix Match: If requests are sent from IP addresses in the whitelist and the prefixes of the request paths match a specified prefix, the requests are allowed. Example: `http://39.104.XX.XX:8080/`. Suffix Match: If requests are sent from IP addresses in the whitelist and the suffixes of the request paths match a specified suffix, the requests are allowed. Example: `/Vulns/file/io/read`. Note When Security Center matches a request path against the specified condition, Security Center ignores the content in the query string. For example, the request path is `http://127.0.XX.XX:8088/Vulns/file/io/read?path=/etc/passwd`. Security Center ignores the question mark (?) and the content that follows the question mark (?). In this example, `?path=/etc/passwd` is ignored.
Detection type	If you select a detection type, Security Center ignores the detection result of the selected type.

Click Next. Then, select the application groups on which you want the whitelist rule to take effect and click OK.
After you complete the configuration, the whitelist rule takes effect on all application instances that are in the online state in the selected application groups.

Manage the remaining quota

View the remaining quota for application protection
When an application instance is protected, the quota for application protection is deducted by 1. You can use the application protection feature only when you have a sufficient quota. After you purchase a quota for application protection, you can view the remaining quota on the Application Configurations tab of the Application Protection page.
Increase the quota for application protection
If the number of application instances that require protection exceeds the remaining quota, you can purchase an additional quota. To purchase an additional quota, go to the Application Protection page and click the Application Configurations tab. Then, click Upgrade to the right of Remaining Quota. In the panel that appears, configure the Quota for Application Protection parameter.

Manage application instances

After you create an application group, you can perform the following operations to manage the application instances in the application group:

View the authorized instances that are protected by the application protection feature
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.
View the application instances that are added to the application protection feature
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Access instance column. If the icon appears to the right of a value in the RASP Version column, a new version of the RASP agent is available for the application instance. We recommend that you restart your application to automatically update the agent.
The following list describes the status of an application instance:
- Online and authorized: The application instance is protected by the application protection feature.
- Online and unauthorized: The application instance is added to the application protection feature but is not protected because the quota for application protection is insufficient. You can click Upgrade to the right of Remaining Quota to purchase an additional quota.
- Offline: The application instance is not added to the application protection feature.
Add an application instance
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, add your application process to the application group by using the automatic or manual access method. The Automatic Access tab displays only the servers that are selected for the application group.
Remove an application instance
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Access Management in the Actions column. In the Access Management panel, uninstall the RASP agent based on the method that you use to add your application process.
- Automatic Access: On the Automatic Access tab, select the server from which you want to uninstall the RASP agent and click Batch Disable Protection. You can also turn off the switch in the Application Protection column for the server.
  Important
  If you no longer require application protection for a server, you can turn off the switch in the Application Protection column and remove the server.
  On the Automatic Access tab, find the server that you want to remove and click Delete in the Actions column. You can also select multiple servers and click Batch Delete to remove the servers from the application group at a time.
- Manual Access: To uninstall the RASP agent, remove the JVM parameters that are used to add your application process and then restart the application.

Edit a protection policy

On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click Protection strategy in the Actions column. In the Protection strategy panel, modify the settings of parameters such as Protection Mode and Detection timeout.

Delete an application group

Important

After you delete an application group, the application protection feature is disabled for all application instances in the application group. Before you delete an application group, make sure that you no longer need to protect the application instances in the application group.

Before you delete an application group, make sure that no authorized instances exist in the application group or the switch in the Application Protection column is turned off for all servers that are displayed on the Application Protection tab.

On the Application Configurations tab of the Application Protection page, find the application group that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

FAQ

What types of applications can be protected by the application protection feature?

Only Java applications can be protected by the application protection feature.

Does the application protection feature affect the running of applications?

The impact on running applications is almost negligible because the application protection feature provides good control over performance, compatibility, and stability. In actual tests, the CPU overhead is less than 1%, the memory overhead is less than 30 MB, and the response time (RT) is less than 1 ms. The application protection feature provides the protection modes of Monitor, Block, and Disable and also provides the soft fuse mechanism. This minimizes interference to running applications.

How do I use the application protection feature to protect applications?

The application protection feature provides a lower false positive rate on attack detection than traditional detection techniques that are based on traffic characteristics. We recommend that you attach importance to the attacks detected by the application protection feature. After you add an application to the application protection feature, the feature protects the application in Monitor mode, which is the default protection mode. After the application runs stably for a period of time, you can change the protection mode from Monitor to Block.

Why is no attack data displayed in the Attack statistics section?

This issue may be caused by the following reasons:

The application is not added to the application protection feature. You can add your application process to the application protection feature again. For more information, see Step 1: Add applications for protection.
No real attacks are detected. Unlike traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not have a large number of real attacks. However, you must intercept attacks or fix vulnerabilities in a timely manner when real attacks are detected.