Disclosure of Invention
The application provides a training method of a malicious request detection model, a malicious request identification method and a device, which are used for solving the problem that the prior art can only identify the existing Web application attack and cannot identify variant attack or novel attack.
In a first aspect, an embodiment of the present application provides a training method for a malicious request detection model, including:
Acquiring a malicious sample request and a non-malicious sample request;
annotating a request path and request parameters in the malicious sample request to generate an annotated malicious sample request;
Training a neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.
In one possible design of the first aspect, the request parameters include at least one of the following sub-parameters:
The method comprises the steps of determining the type of a malicious sample request, the character length of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in a parameter value, the number ratio of the first preset characters to the total characters in the parameter value, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request and accessing resource information.
In another possible design of the first aspect, the annotating the request path and the request parameter in the malicious sample request to generate an annotated malicious sample request includes:
decoding a request path in the malicious sample request, and converting uppercase characters of a character string obtained after decoding into lowercase characters to generate a first malicious sample request;
Dividing each sub-parameter in the first malicious sample request through a second preset character, and connecting the divided sub-parameters through a third character to generate a second malicious sample request;
Annotating the request path processed in the second malicious sample request and each sub-parameter to generate an annotated malicious sample request.
In a second aspect, an embodiment of the present application provides a malicious request identifying method, including:
Acquiring a request to be identified;
Inputting the request to be identified into a malicious request detection model, and obtaining a detection result, wherein the malicious request detection model is trained by the method according to any one of the first aspect, and the detection result is used for indicating whether the request to be identified is a malicious request.
In one possible design of the second aspect, the method further comprises:
If the detection result indicates that the request to be identified is a malicious request, intercepting the request to be identified, generating a corresponding error log, and returning error information to terminal equipment sending the request to be identified, wherein the error information is used for indicating that the request to be identified is not successfully sent to a corresponding server;
And if the detection result indicates that the request to be identified is a non-malicious request, forwarding the request to be identified to the corresponding server.
Optionally, the inputting the request to be identified into a malicious request detection model, and obtaining a detection result includes:
judging whether the terminal equipment has authority to perform information interaction with the server;
If yes, judging the type of the request to be identified;
If the type of the request to be identified is a GET request type, inputting a request head of the request to be identified into the malicious request detection model, and acquiring the detection result;
if the type of the request to be identified is the POST request type, inputting a request head and a request body of the request to be identified into the malicious request detection model, and acquiring the detection result.
In a third aspect, an embodiment of the present application provides a training apparatus for a malicious request detection model, including:
the acquisition module is used for acquiring a malicious sample request and a non-malicious sample request;
the processing module is used for annotating the request path and the request parameters in the malicious sample request to generate an annotated malicious sample request;
the training module is used for training the neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.
In one possible design of the third aspect, the request parameters include at least one of the following sub-parameters:
The method comprises the steps of determining the type of a malicious sample request, the character length of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in a parameter value, the number ratio of the first preset characters to the total characters in the parameter value, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request and accessing resource information.
In another possible design of the third aspect, the processing module is specifically configured to:
decoding a request path in the malicious sample request, and converting uppercase characters of a character string obtained after decoding into lowercase characters to generate a first malicious sample request;
Dividing each sub-parameter in the first malicious sample request through a second preset character, and connecting the divided sub-parameters through a third character to generate a second malicious sample request;
Annotating the request path processed in the second malicious sample request and each sub-parameter to generate an annotated malicious sample request.
In a fourth aspect, an embodiment of the present application provides a malicious request identifying apparatus, including:
The acquisition module is used for acquiring a request to be identified;
The input module is configured to input the request to be identified into a malicious request detection model, and obtain a detection result, where the malicious request detection model is obtained by training using the method according to any one of the first aspects, and the detection result is used to indicate whether the request to be identified is a malicious request.
In one possible design of the fourth aspect, the apparatus further comprises:
The sending module is used for intercepting the request to be identified if the detection result indicates that the request to be identified is a malicious request, generating a corresponding error log, and returning error information to the terminal equipment sending the request to be identified, wherein the error information is used for indicating that the request to be identified is not successfully sent to a corresponding server;
The sending module is further configured to forward the request to be identified to the corresponding server if the detection result indicates that the request to be identified is a non-malicious request.
Optionally, the input module is specifically configured to:
judging whether the terminal equipment has authority to perform information interaction with the server;
If yes, judging the type of the request to be identified;
If the type of the request to be identified is a GET request type, inputting a request head of the request to be identified into the malicious request detection model, and acquiring the detection result;
if the type of the request to be identified is the POST request type, inputting a request head and a request body of the request to be identified into the malicious request detection model, and acquiring the detection result.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and computer program instructions stored on the memory and executable on the processor for implementing the method provided by the first aspect and each possible design when the processor executes the computer program instructions.
In a sixth aspect, embodiments of the present application may provide a computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method provided by the first aspect and each possible design.
According to the training method, the malicious request identification method and the device for the malicious request detection model, in the training method for the malicious request detection model, the electronic device annotates a request path and a request parameter in the malicious sample request by acquiring the malicious sample request and the non-malicious sample request, generates an annotated malicious sample request, and trains a neural network model by the annotated malicious sample request and the non-malicious sample request to obtain the malicious request detection model. In the technical scheme, the malicious request detection model obtained through training has analysis capability and learning capability, can effectively identify variant attacks or novel attacks, and improves the accuracy of identification. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has higher applicability.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Before describing embodiments of the present application, the terms related to the embodiments of the present application will be explained first:
deep learning: the inherent regularity and representation hierarchy of the learning sample data is utilized to enable the machine to have analysis and learning capabilities like a person. Wherein the learning sample data is the malicious sample request and the non-malicious sample request of the present application.
Attack: in information security technology, information is intentionally eavesdropped, stolen, damaged, or otherwise denied access by other authorized users.
Web application: an application program which can be accessed through a browser is only required to be installed by a user, and other software is not required to be installed.
And (3) data packet filtering: the router or other hardware device is used to monitor and filter incoming and outgoing internet protocol (Internet Protocol, IP) packets on the network and refuse to send suspicious packets.
Malicious request: the requests threatening data or service security include obtaining server-side sensitive data, cross-site scripting attack (Cross SITE SCRIPT ATTACK, XSS) attack, structured query language (Structured Query Language, SQL) injection, cross-site request forging, etc.
Next, the application background of the present application will be described in detail:
With the rapid development of information technology in modern society, information security technology has become one of the very important technologies in the field of data analysis. However, the attack means and techniques of the attacker are increasingly complicated, so that the service system faces a huge security challenge. In this case, how to effectively identify Web malicious requests becomes a problem to be solved.
At present, malicious requests are mainly identified by the following ways:
(1) Based on a blacklist rule base detection method: by manually summarizing the characteristics of known attacks, a blacklist rule base is established, after a request is received, the request is subjected to characteristic matching with the known attack characteristics in the blacklist rule base, the request is considered to be a malicious request when matching is successful, and otherwise, the request is considered to be a non-malicious request when matching is unsuccessful. However, the development and maintenance difficulty of the blacklist rule base is high, and rule writers are required to have strong attack feature summarization capability; meanwhile, the method belongs to a lagged defending technology, can only identify the existing Web application attack, cannot identify variant attack or novel attack, cannot take effective measures before or during the attack, and can only remedy the damage after the attack, thus having no ability to unknown threat.
(2) Based on a security policy detection method: only conventional requests are passed, all ambiguous requests are prohibited. Wherein the routine request may be preconfigured by the relevant staff. However, the method is easy to misjudge the non-malicious request in the fuzzy request as the malicious request; in addition, if the Web application is updated, the security policy also needs to be updated synchronously, so that the method is not suitable for application scenes with high updating frequency.
(3) Based on a data packet filtering detection method: filtering and limiting the transmission control protocol (Transmission Control Protocol, TCP)/IP packets is performed at the network layer to filter out non-malicious requests. However, the implementation steps of the method are complex, network congestion is easy to cause under the condition of high concurrency, and the response is slow.
Based on the above problems, the application provides a training method and a malicious request identification method for a malicious request detection model, which can train a neural network model by taking a malicious sample request and a non-malicious sample request as training sets, thereby obtaining the malicious request detection model. In this way, in the actual application process, the malicious request detection model can be used to identify whether the request sent by the terminal device is a malicious request. As the malicious request detection model has analysis capability and learning capability, variant attack or novel attack can be effectively identified, meanwhile, the labor cost is saved, the identification accuracy and the processing efficiency are improved, and the adaptability to application scenes is high.
The training method and the malicious request identification method for the malicious request detection model provided by the embodiment of the application can be applied to a network structure diagram shown in fig. 1. Fig. 1 is a schematic diagram of a network architecture to which a malicious request detection model training method and a malicious request identification method provided by an embodiment of the present application are applicable. As shown in fig. 1, the network structure may include: terminal device 11, electronic device 12, server 13. Optionally, the network structure may further include a sample request database 14, where a plurality of malicious sample requests and a plurality of non-malicious sample requests are stored in the sample request database 14, and the electronic device 12 is respectively connected to the terminal device 11, the server 13, and the sample request database 14 in a wireless manner.
For example, referring to fig. 1, the electronic device 12 may obtain malicious sample requests and non-malicious sample requests from the sample request database 14, and train a pre-stored neural network model according to the obtained malicious sample requests and non-malicious sample requests, thereby generating a malicious request detection model. Further, the electronic device 12 may further obtain a request sent by the terminal device 11 for performing data interaction with the server 13, and input the request into a malicious request detection model for identification, so as to obtain a detection result for indicating whether the request is a malicious request.
It should be noted that fig. 1 is only a schematic diagram of a network structure provided by an embodiment of the present application, and the embodiment of the present application does not limit the devices included in fig. 1 or limit the positional relationship between the devices in fig. 1, for example, in fig. 1, the sample request database 14 may be an external database with respect to the electronic device 12, and in other cases, the sample request database 14 may also be disposed in the electronic device 12.
It may be understood that the execution body of the embodiment of the present application may be a terminal device, for example, a computer, a tablet computer, or the like, or may be a server, for example, a background processing platform, or the like. Thus, the present embodiment is explained with the terminal device and the server collectively referred to as an electronic device, which can be determined in actual cases as to whether the electronic device is specifically a terminal device or a server.
In an embodiment of the application, the electronic device 12 may include a model generation module 121 and an attack detection module 122, the model generation module 121 including a data stream parser 1211, a data stream processing annotator 1212, a deep learning trainer 1213; attack detection module 122 includes a data stream parser 1221, an attack detector 1222.
The data stream parser 1211 may be used, among other things, to obtain malicious sample requests as well as non-malicious sample requests.
The data stream processing annotator 1212 can be configured to annotate a request path and a request parameter in the malicious sample request to generate an annotated malicious sample request.
The deep learning trainer 1213 may be configured to train the neural network model through the annotated malicious sample requests and the non-malicious sample requests to obtain a malicious request detection model.
The data stream parser 1221 may be used to obtain a request to be identified.
The attack detector 1222 may be configured to input the request to be identified into a malicious request detection model, and obtain a detection result.
The following describes the technical scheme of the present application and how the technical scheme of the present application solves the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
It should be noted that the following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.
Fig. 2 is a flowchart of a training method embodiment of a malicious request detection model according to an embodiment of the present application. As shown in fig. 2, the training method of the malicious request detection model may include the following steps:
s201, acquiring a malicious sample request and a non-malicious sample request.
The non-malicious sample request is a request transmitted in the normal data interaction process between the terminal equipment and the server, and the malicious sample request and the non-malicious sample request can be requests sent to the electronic equipment by an attacker at historical moments through the terminal equipment.
Alternatively, the malicious sample requests as well as the non-malicious sample requests may be HTTP requests.
Alternatively, the malicious sample requests and the non-malicious sample requests may be stored together in a sample request database; the malicious sample request and the non-malicious sample request may also be stored in two different databases, respectively, e.g., the malicious sample request is stored in a first database and the non-malicious sample request is stored in a second database; the malicious sample request can be partially stored in the first database, and partially stored in the second database, and the non-malicious sample request can be partially stored in the first database, and partially stored in the second database, so that the electronic device can acquire the malicious sample request and the non-malicious sample request from the sample request database, and can acquire the malicious sample request and the non-malicious sample request from the first database and the second database respectively.
Alternatively, the number of the malicious sample requests may be one or more, and similarly, the number of the non-malicious sample requests may be one or more, and may be determined according to the actual situation.
S202, annotating a request path and a request parameter in the malicious sample request to generate an annotated malicious sample request.
Because the request parameters are various and semantically rich, the subsequent model training is not easy to be performed by directly using the malicious sample request, and therefore, the key information in the malicious sample request needs to be represented in an appropriate manner. Because the components of the HTTP request are relatively fixed, each part has good structural characteristics, the request path and the request parameters can be annotated according to the structural characteristics of each part so as to train the neural network model later.
Optionally, in order to avoid that the subparameter dimension of the request parameter is too high, the subparameter of the request parameter may be preset, where the request parameter may include at least one subparameter of:
The method comprises the steps of determining the type of a malicious sample request, the character length of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in a parameter value, the number ratio of the first preset characters to the total characters in the parameter value, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request and accessing resource information.
Optionally, the request parameter includes at least one sub-parameter, and each sub-parameter in the request parameter may be divided first, and then each sub-parameter may be annotated.
For example, the first preset character may be "", "$", "#", etc., and may be preset according to actual requirements, which is not specifically limited in the embodiment of the present application.
The preset character string may be "drop", "alert", "script", etc., and may be preset according to actual requirements, which is not specifically limited in the embodiment of the present application.
It should be understood that the first predetermined character and the predetermined character string are related to the malicious request, that is, in practical application, the malicious request generally includes the first predetermined character and the predetermined character string.
And S203, training the neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.
In the embodiment of the application, the annotated malicious sample requests and the non-malicious sample requests are training sets, and the neural network model is trained through the training sets, so that the obtained malicious request detection model has the capability of identifying the malicious requests.
Optionally, the neural network model may be stored in the electronic device in advance by the relevant staff, or may be obtained from a network or other databases storing the neural network model, and the method for obtaining the neural network model is not specifically limited in the present application.
According to the training method for the malicious request detection model, the electronic equipment annotates the request path and the request parameters in the malicious sample request by acquiring the malicious sample request and the non-malicious sample request, so that the annotated malicious sample request is generated, and the neural network model is trained by the annotated malicious sample request and the non-malicious sample request, so that the malicious request detection model is obtained. In the technical scheme, the malicious request detection model obtained through training has analysis capability and learning capability, can effectively identify variant attacks or novel attacks, and improves the accuracy of identification. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has higher applicability.
Optionally, in some embodiments, before training the neural network model by the annotated malicious sample request and the non-malicious sample request, the annotated malicious sample request and the non-malicious sample request may be further converted into a representation format understandable by the electronic device, for example, into 2 scale, and then the neural network model is trained by the converted training set.
Alternatively, in some embodiments, S201 may be implemented by: the method comprises the steps of obtaining an initial malicious sample request and an initial non-malicious sample request, formatting the initial malicious sample request and the initial non-malicious sample request, only reserving request paths and request parameter parts in the initial malicious sample request and the initial non-malicious sample request, and deleting other redundant data, so that the malicious sample request and the non-malicious sample request are obtained, and the subsequent training efficiency is improved.
Optionally, fig. 3 is a schematic flow chart of a second embodiment of a training method of a malicious request detection model according to an embodiment of the present application. As shown in fig. 3, in connection with the embodiment shown in fig. 2, S202 may be implemented by:
S301, decoding a request path in the malicious sample request, and converting capital characters of a character string obtained after decoding into lowercase to generate a first malicious sample request.
For example, assume that a character string obtained after decoding a request path in a malicious sample request is: http:// localhost: ABCD/123ABcd, converting the uppercase character into lowercase, and obtaining the character string which is http:// localhost: ABCD/123ABCD.
S302, dividing each sub-parameter in the first malicious sample request through a second preset character, and connecting the divided sub-parameters through a third character to generate a second malicious sample request.
The third character may be a space, or may be other special characters, and may be preconfigured according to actual requirements, which is not specifically limited in the embodiment of the present application.
S303, annotating the request path and each sub-parameter processed in the second malicious sample request to generate an annotated malicious sample request.
In the above embodiment, since the attack load of the malicious request is a command sequence with a certain structure, which is formed by the special symbol and the attack keyword together, by annotating each sub-parameter, the malicious request detection model can better pay attention to the first preset character and the preset character string equal to the sensitive character related to the malicious request, thereby improving the recognition efficiency and accuracy.
In connection with the training method of the malicious request detection model in the above embodiments, the method is illustrated by a specific example.
Fig. 4 is a flowchart of a third embodiment of a training method of a malicious request detection model according to an embodiment of the present application. As shown in fig. 4, the training method of the malicious request detection model may include the following steps:
The electronic device may obtain an initial malicious sample request and an initial non-malicious sample request, and format the initial malicious sample request and the initial non-malicious sample request through the data stream analyzer 1211, to obtain the malicious sample request and the non-malicious sample request. And annotating the request path and the request parameters in the malicious sample request through the data stream processing annotator 1212 to generate an annotated malicious sample request. Finally, training the neural network model according to the annotated malicious sample request and the non-malicious sample request by the deep learning trainer 1213 to obtain a malicious request detection model.
After the malicious request detection model is obtained, the malicious request detection model can be used for identifying the request to be identified, which is sent by the terminal equipment. The method for identifying the request to be identified using the malicious request detection model is described in detail below in connection with specific embodiments. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
In particular, the execution subject of the malicious request recognition method may be an electronic device having processing capability, such as a terminal or a server. It should be understood that the electronic device that performs the malicious request recognition method and the electronic device that performs the training method of the malicious request detection model may be the same device or different devices.
Fig. 5 is a flowchart of a first embodiment of a malicious request identifying method according to an embodiment of the present application. As shown in fig. 5, the malicious request identification method may include the steps of:
S501, acquiring a request to be identified.
In the embodiment of the application, the request to be identified is a request sent by the terminal equipment to the server and used for carrying out data interaction with the server. The electronic device may obtain the request before the request reaches the server and identify whether the request is a malicious request to secure the data of the server.
Alternatively, the request to be identified may be an HTTP request.
Optionally, the number of the requests to be identified in the step may be 1 or multiple, and when the number of the requests to be identified is multiple, the multiple requests to be identified may be used for data interaction between the same terminal device and the same server, may be used for data interaction between the same terminal device and different servers, may be used for data interaction between different terminal devices and the same server, and may be used for data interaction between different terminal devices and different servers.
Optionally, the electronic device may further obtain an initial request to be identified, format the initial request to be identified, only reserve a request path and a request parameter portion of the initial request to be identified, and delete other redundant data, so as to obtain the request to be identified.
S502, inputting a request to be identified into a malicious request detection model, and obtaining a detection result.
The malicious request detection model is trained by the method in the embodiment, and the detection result is used for indicating whether the request to be identified is a malicious request or not.
For example, the detection result may be "the request to be identified as a malicious request" or "the request to be identified as a non-malicious request".
According to the malicious request identification method provided by the embodiment of the application, the electronic equipment acquires the request to be identified, and inputs the request to be identified into the malicious request detection model, so that the detection result is acquired. In the technical scheme, before the request to be identified is sent to the server, the request is identified through the malicious request detection model, so that the data security of the server is effectively ensured. Meanwhile, the malicious request detection model has analysis capability and learning capability, can effectively identify variant attacks or novel attacks, and improves the accuracy of identification. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has higher applicability.
Optionally, in some embodiments, the malicious request identification method may further include the steps of:
If the detection result indicates that the request to be identified is a malicious request, intercepting the request to be identified, generating a corresponding error log, returning error information to terminal equipment sending the request to be identified, and if the detection result indicates that the request to be identified is a non-malicious request, forwarding the request to be identified to a corresponding server.
The error information is used for indicating that the request to be identified is not successfully sent to the corresponding server.
In the above embodiment, different processing is performed on the request to be identified through different contents indicated by the detection result, so that the subsequent normal processing on the non-malicious request is ensured, and when the request to be identified is detected to be a malicious request, error information is returned to the terminal equipment for sending the request to be identified, so that related staff can repair the request in time under the condition of misjudging the request to be identified.
Alternatively, in some embodiments, in conjunction with the embodiment shown in fig. 5, S502 may be implemented by:
Judging whether the terminal equipment has authority to perform information interaction with the server, if so, judging the type of the request to be identified, and if the type of the request to be identified is the type of the request to be acquired (English: GET), inputting a request head of the request to be identified into a malicious request detection model to acquire a detection result. If the type of the request to be identified is the type of the request to be identified (English: POST), inputting a request head and a request body of the request to be identified into a malicious request detection model, and obtaining a detection result.
In the embodiment, before the request to be identified is identified, whether the terminal equipment has authority to perform information interaction with the server is judged, so that the data security of the server is effectively ensured, the subsequent identification operation is not performed when the terminal equipment has no authority, the redundant operation is reduced, and the identification efficiency is improved. Meanwhile, data of different parts are extracted according to the type of the request to be identified and input into the malicious request detection model for identification processing, and redundant data processing by the malicious request detection model is reduced, so that identification processing efficiency is improved.
In combination with the training method of the malicious request identification method in the above embodiments, the method is illustrated by three specific examples below.
Example 1, fig. 6 is a schematic flow chart of a second embodiment of a malicious request identifying method according to an embodiment of the present application. As shown in fig. 6, the malicious request identification method may further include the steps of:
The electronic device obtains the initial request to be identified, and formats the initial request to be identified through the data stream analyzer 1221 to obtain the initial request to be identified. Then, the request to be identified is input into a malicious request detection model through an attack detector 1222, and a detection result is obtained.
Example 2, fig. 7 is a schematic flow chart of a third embodiment of a malicious request identifying method according to an embodiment of the present application. As shown in fig. 7, the malicious request identification method may further include the steps of:
And step 1, receiving an HTTP request line.
And step 2, receiving the data stream through the buffer zone, if the data stream is successfully received, executing the step 3, and if the data stream is failed to be received, executing the step 8.
The data stream is the initial request to be identified.
And step 3, verifying the integrity of the received data stream, if the received data stream passes through, executing the step4, and if the received data stream fails, executing the step 8.
And 4, analyzing the request header and the request body of the data stream by an analyzer, if the analysis is normal, executing the step 5, and if the analysis is failed, executing the step 8.
Step 5, acquiring the parameter characteristics of the request line, if the protocol version of the data stream is more than HTTP1.0, executing step 6, and if the protocol version is less than HTTP1.0, taking the data stream as a request to be identified, and executing step 7;
step 6, analyzing the header field of the data stream, and formatting the header field;
and 7, outputting a request to be identified, and stopping executing the subsequent steps after the step is executed.
And 8, closing the connection with the terminal equipment transmitting the data stream.
Example 3, fig. 8 is a schematic flow chart of a fourth embodiment of a malicious request identifying method according to an embodiment of the present application. As shown in fig. 8, the malicious request identification method may further include the steps of:
s801, a request to be identified is acquired.
S802, detecting whether the terminal equipment sending the request to be identified has the right to access the server corresponding to the request to be identified, if so, executing S803, and if not, ending.
S803, acquiring a request header of the request to be identified.
S804, judging the type of the request to be identified, if the request is a POST request, executing S805, and if the request is a GET request, executing S806.
S805, acquiring a request body of the request to be identified.
S806, identifying whether the request head and/or the request body have abnormal behaviors through the malicious request detection model, if so, executing S807, and if not, executing S808.
S807, intercepting the request to be identified, generating a corresponding error log, and returning error information to the terminal equipment.
S808, forwarding the request to be identified to a corresponding server.
The following are examples of the apparatus of the present application that may be used to perform the method embodiments of the present application. For details not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the method of the present application.
Fig. 9 is a schematic structural diagram of a training device for a malicious request detection model according to an embodiment of the present application. As shown in fig. 9, the training apparatus of the malicious request detection model includes:
the acquiring module 91 is configured to acquire a malicious sample request and a non-malicious sample request.
The processing module 92 is configured to annotate a request path and a request parameter in the malicious sample request, and generate an annotated malicious sample request.
The training module 93 is configured to train the neural network model through the annotated malicious sample request and the non-malicious sample request, so as to obtain a malicious request detection model.
In one possible design of the embodiment of the present application, the request parameters include at least one of the following sub-parameters:
The method comprises the steps of determining the type of a malicious sample request, the character length of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in a parameter value, the number ratio of the first preset characters to the total characters in the parameter value, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request and accessing resource information.
In another possible design of the embodiment of the present application, the processing module 92 is specifically configured to:
and decoding a request path in the malicious sample request, and converting the capital character of the character string obtained after decoding into lower case, so as to generate a first malicious sample request.
Dividing each sub-parameter in the first malicious sample request through a second preset character, and connecting the divided sub-parameters through a third character to generate a second malicious sample request.
Annotating the request path and each sub-parameter processed in the second malicious sample request to generate an annotated malicious sample request.
The acquiring module 91 may be the data stream analyzer 1211, the processing module 92 may be the data stream processing annotator 1212, and the training module 93 may be the deep learning trainer 1213.
The training device for the malicious request detection model provided by the embodiment of the application can be used for executing the training method for the malicious request detection model in any embodiment, and the implementation principle and the technical effect are similar, and are not repeated here.
Fig. 10 is a schematic structural diagram of a malicious request identifying method and apparatus according to an embodiment of the present application. As shown in fig. 10, the malicious request identifying apparatus includes:
the obtaining module 1001 is configured to obtain a request to be identified.
The input module 1002 is configured to input a request to be identified into a malicious request detection model, and obtain a detection result, where the malicious request detection model is trained by using the method according to any one of the first aspect, and the detection result is used to indicate whether the request to be identified is a malicious request.
In one possible design of the embodiment of the present application, the apparatus further comprises:
The sending module is used for intercepting the request to be identified if the detection result indicates that the request to be identified is a malicious request, generating a corresponding error log, and returning error information to the terminal equipment sending the request to be identified, wherein the error information is used for indicating that the request to be identified is not successfully sent to a corresponding server.
The sending module is further configured to forward the request to be identified to a corresponding server if the detection result indicates that the request to be identified is a non-malicious request.
Optionally, the input module 1002 is specifically configured to:
and judging whether the terminal equipment has authority to perform information interaction with the server.
If yes, judging the type of the request to be identified.
If the type of the request to be identified is the GET request type, inputting a malicious request detection model into a request head of the request to be identified, and obtaining a detection result.
If the type of the request to be identified is the POST request type, inputting a request head and a request body of the request to be identified into a malicious request detection model, and obtaining a detection result.
The acquisition module 1001 may be the data stream parser 1221, and the input module 1002 may be the attack detector 1222.
The malicious request recognition device provided by the embodiment of the application can be used for executing the malicious request recognition method in any of the above embodiments, and the implementation principle and technical effects are similar, and are not repeated here.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. In addition, all or part of the modules may be integrated together or may be implemented independently. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 11, the electronic device 12 may include: the processor 1101, the memory 1102, and computer program instructions stored on the memory 1102 and executable on the processor 1101, the processor 1101 implementing the training method and/or the malicious request identification method of the malicious request detection model provided by any of the foregoing embodiments when executing the computer program instructions.
Alternatively, the above-described respective devices of the electronic apparatus 12 may be connected by a system bus.
The memory 1102 may be a separate memory unit or may be a memory unit integrated into the processor. The number of processors is one or more.
Optionally, the electronic device 12 may also include interfaces to interact with other devices.
The transceiver is used for communicating with other computers, and forms a communication interface.
It is to be appreciated that the Processor 1101 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in a processor for execution.
The system bus may be a peripheral component interconnect (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus, or an extended industry standard architecture (extended industry standard architecture, EISA) bus, among others. The system bus may be classified into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus. The memory may include random access memory (random access memory, RAM) and may also include non-volatile memory (NVM), such as at least one disk memory.
All or part of the steps for implementing the method embodiments described above may be performed by hardware associated with program instructions. The foregoing program may be stored in a readable memory. The program, when executed, performs steps including the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape (MAGNETIC TAPE), floppy disk (floppy disk), optical disk (optical disk), and any combination thereof.
The electronic device provided by the embodiment of the application can be used for executing the training method and/or the malicious request identification method of the malicious request detection model provided by any of the method embodiments, and the implementation principle and the technical effect are similar, and are not repeated here.
The embodiment of the application provides a computer readable storage medium, wherein computer execution instructions are stored in the computer readable storage medium, and when the computer execution instructions run on a computer, the computer is caused to execute the training method and/or the malicious request identification method of the malicious request detection model.
The computer readable storage medium described above may be implemented by any type of volatile or non-volatile memory device or combination thereof, such as static random access memory, electrically erasable programmable read-only memory, magnetic memory, flash memory, magnetic disk or optical disk. A readable storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.
In the alternative, a readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. In the alternative, the readable storage medium may be integral to the processor. The processor and the readable storage medium may reside in an Application SPECIFIC INTEGRATED Circuits (ASIC). The processor and the readable storage medium may reside as discrete components in a device.
Embodiments of the present application also provide a computer program product, where the computer program product includes a computer program, where the computer program is stored in a computer readable storage medium, and at least one processor may read the computer program from the computer readable storage medium, and the at least one processor may implement the training method and/or the malicious request identifying method of the malicious request detection model when the computer program is executed.
It is to be understood that the application is not limited to the precise arrangements and instrumentalities shown in the drawings, which have been described above, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the application is limited only by the appended claims.