This topic provides answers to some frequently asked questions about the application protection feature of Security Center.
What are the differences between the application protection feature and WAF?
You can use the application protection feature that adopts the Runtime Application Self-Protection (RASP) technology and Web Application Firewall (WAF) to protect applications. The feature can defend against zero-day vulnerabilities and encrypted traffic that target servers. WAF effectively mitigates volumetric attacks at the network ingress. To achieve comprehensive protection, we recommend that you use the feature together with WAF. For more information about the differences, see the following table.
Item | Application protection | WAF |
Focus | Ensures the security of applications, regardless of the traffic source. | Filters out and protects against attack traffic at the network layer. |
General protection scope | Provides defense against common web vulnerabilities such as SQL injection, cross-site scripting (XSS), remote code execution, file inclusion, and webshells. | |
Specialized protection scope | Provides defense against zero-day vulnerabilities, complex encoded or encrypted traffic, in-memory webshells, non-HTTP protocols, and horizontal penetration over internal networks. | Provides defense against DoS attacks such as HTTP flood attacks, crawler attacks, scan attacks, and attacks related to access control and API security. |
Detection method | Detects attacks. | Matches and filters out attack traffic based on traffic characteristics. |
Deployment location | Deployed on servers and injected into applications. | Deployed on a border gateway or before servers. WAF does not interfere with applications. |
Performance | Consumes server resources. | Consumes the resources of WAF and has no impacts on applications and origin servers. |
Vulnerability fixing | Uses virtual patches to fix vulnerabilities and locates the execution code that exploits the vulnerabilities. | Uses virtual patches to fix vulnerabilities and reports only the exploitable traits of the vulnerabilities. |
Zero-day vulnerability prevention | Supported by default. | Mitigates zero-day vulnerabilities by using the rules that are created based on vulnerability exploit methods. |
What types of applications can be protected by the application protection feature?
The application protection feature is available only for Java applications and related middleware, such as Tomcat.
Which applications can be protected by the feature?
The application protection feature is available only for Java applications in the Running state. Before you purchase a quota for the application protection feature, you can perform the following operations to view the number and details of qualified applications. An application that can be added is considered a qualified application.
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
In the Protection Statistics section, click Immediate Scan.
After you click Immediate Scan, the Security Center agent collects information about the processes on your assets.
NoteThe Security Center agent can collect the information only once per day in the Basic, Value-added Plan, Anti-virus, or Advanced edition of Security Center.
View the number of application processes on your assets. You can click the number to view the list of application processes. The list provides the server information, process name, process identifier (PID), and startup parameters of each qualified application process.
ImportantWhen an application is added to the application protection feature, the quota for the feature is deducted by one. The number of processes dynamically changes. The number displayed in the scan result is the number of processes that are running during the scan. You can estimate the quota that you need to purchase for the application protection feature based on the number of processes.
Can the application protection feature protect PHP, Python, Go, and .NET applications?
No, you cannot add PHP, Python, Go, and NET applications to the application protection feature. The application protection feature is available only for Java applications.
How do I know whether an application is added to the application protection feature?
Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Application Configurations tab of the Application Protection page, find the application group that you want to manage and click the number in the Online Instances column.
In the panel that appears, view the applications that are added to the application protection feature.
If the PID of the application process that you want to protect is displayed in the application list, the application is protected.
Does the application protection feature affect the running of applications?
The application protection feature is carefully designed to control its impact on system performance, compatibility, and stability to minimize interference with application running. Tests have proven that after the application protection feature is enabled for a server, the excess CPU utilization of the server does not exceed 1%, the excess memory usage is less than 30 MB, and the excess application latency or response time is less than 1 millisecond.
The feature also provides emergency measures, such as the soft fuse escape mechanism, to minimize interference with applications. For more information, see Resource usage thresholds.
How do I select an application protection mode?
The application protection feature detects attacks that pose actual security threats. The feature provides a lower false positive rate than traditional traffic-based detection technologies. Therefore, we recommend that you attach importance to the attacks that are detected by this feature. After you add an application to the application protection feature, the feature protects the application in Monitor mode, which is the default protection mode. After the application stably runs for a period of time, you can change the protection mode from Monitor to Block.
What is the role of the manager.key parameter when I add a container application to the application protection feature?
The manager.key parameter in the startup command is used to associate applications with the application protection feature. The vulnerability management feature of Security Center marks the application in which vulnerabilities are detected. If the RASP agent is installed on an asset that is associated with the detected vulnerability, the asset must be marked as protected. Security Center can associate the applications with the application protection feature by using the manager.key parameter.
Can I leave the manager.key parameter empty when I add a container application to the application protection feature?
No, you cannot leave the manager.key parameter empty.
When you manually add a container application to the application protection feature, you must configure the manager.key parameter. When you manually add a host application to the application protection feature, you can leave the manager.key parameter empty. The host application can be directly associated with the corresponding asset.
Why is no attack data displayed on the Attack Statistics page?
This issue may be caused by the following reasons:
The application is not added to the application protection feature. You can re-add your application process to the application protection feature. For more information, see Use the application protection feature.
No real attacks are detected. Compared with traditional firewalls, the application protection feature records only real attacks. Traditional firewalls report attacks when the presence of malicious attack characteristics in packets is detected. However, the presence of malicious attack characteristics does not indicate real attacks. For example, the attack requests that exploit PHP vulnerabilities are ineffective in the Java environment. If a real attack is detected, the attacker has broken through the outer defense and can enter the internal environment of the application to perform risky operations. An application may not receive a large number of real attacks. However, you must intercept attacks or fix vulnerabilities at the earliest opportunity when real attacks are detected.
What is the difference between the weakness detection feature and the weak password baseline check?
The weakness detection feature is used to detect risks based on the application behavior and memory status during application runtime. The weak password baseline check is mainly used to scan system configurations, including the baseline check based on the internationally agreed best practices, classified protection compliance check, and static file detection.
Why did I fail to add my application to the application protection feature?
This issue may be caused by the following reasons:
Anti-virus software is installed on your server. The software may block the RASP agent or the Security Center agent. You can view related information in the blocking results of the software.
The password of the root user in the Linux system expires.
How do I identify a blocked threat?
If you find a runtime exception named AliCloudRaspSecurityException in your business logs, the application protection feature detects exceptions or potential security threats and blocks the access attempts of the related processes.