CN114372519A - Model training method, API request filtering method, device and storage medium - Google Patents
Model training method, API request filtering method, device and storage medium Download PDFInfo
- Publication number
- CN114372519A CN114372519A CN202111627427.0A CN202111627427A CN114372519A CN 114372519 A CN114372519 A CN 114372519A CN 202111627427 A CN202111627427 A CN 202111627427A CN 114372519 A CN114372519 A CN 114372519A
- Authority
- CN
- China
- Prior art keywords
- api request
- request data
- data
- api
- model training
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- General Physics & Mathematics (AREA)
- Artificial Intelligence (AREA)
- Physics & Mathematics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Medical Informatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a model training method, an API request filtering method, a computer device and a storage medium. The immunodetector trained by the model training method has higher detection speed and accuracy for detecting the dangerous injection information carried in the API request, can identify the API request as an abnormal request when the API request carries the dangerous injection information, can identify the API request as a normal request when the API request does not carry the dangerous injection information, can accurately detect the abnormal or illegal API request in real time, and can provide uniform, safe and reliable guarantee service. The invention is widely applied to the technical field of computer networks.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to a model training method, an API (application program interface) request filtering method, a computer device and a storage medium.
Background
The API abuse is a common attack carrier for web application data leakage, and an application end and a database server are easily attacked by API requests such as SQL injection, http request and http request header parameter injection (including Cookie injection and XSS injection), so that the data leakage or data tampering is damaged. For example, SQL injection is one of common network attack modes, and is not implemented by using a BUG of an operating system, but rather by inserting an SQL command into a Web form submission or inputting a query string of a domain name or a page request against negligence during programming of a programmer, so as to finally deceive a server to execute a malicious SQL command, implement account-free login, and even tamper with a database. SQL injection attacks completely destroy the confidentiality, integrity, and availability of the target system, with the resulting loss varying with the importance of the information stored in the database. According to the related art principles, SQL injection may be divided into platform-level injection and code-level injection. The former is caused by insecure database configuration or vulnerabilities of the database platform; the latter is mainly due to the fact that the programmer does not filter the input finely, thereby performing illegal data queries. Based on this, the generation reason of SQL injection is usually expressed in the following aspects: improper type handling, unsafe database configuration, unreasonable query set handling, improper error handling, improper escape character handling, and improper multiple submission handling.
The current computer network technology is difficult to accurately detect various attacks such as SQL injection, XSS attack, Cookie injection and the like in API requests in real time.
Interpretation of terms:
API, an abbreviation of Application Programming Interface, namely Application program Interface;
WEB, an abbreviation of World Wide Web, i.e., Global Wide area network;
SQL, an abbreviation for Structured Query Language, Structured Query Language;
http, an abbreviation of Hyper Text Transfer Protocol, hypertext Transfer Protocol.
Disclosure of Invention
Aiming at the technical problem that the existing computer network technology is difficult to accurately detect at least one of various attacks such as SQL injection, XSS attack, Cookie injection and the like in API requests in real time, the invention aims to provide a model training method, an API request filtering method, a computer device and a storage medium.
In one aspect, an embodiment of the present invention includes a model training method, including:
collecting a plurality of first API request data;
carrying out standardized format processing on each first API request data to obtain a training sample set;
classifying and constructing the training sample set according to characteristics to obtain an autologous set;
obtaining an immunodetector;
training the immunodetector using the self-assembly.
Further, the collecting a plurality of first API request data includes:
actively crawling the injection case through a crawler program;
extracting the first API request data from the injection case.
Further, the performing standardized format processing on the first API request data to obtain a training sample set includes:
processing the first API request data by using a special character separation method and a space separation method to obtain first characteristic information;
marking the first characteristic information to obtain token information;
constructing the token information into an attack sentence syntax tree;
and composing the training sample set by the attack sentence grammar tree.
Further, the classifying and constructing the training sample set according to the features to obtain an autologous set, including:
carrying out naive Bayes cluster analysis on the training sample set, and classifying the contents in the training sample set into a normal data set or an abnormal data set according to the result of the naive Bayes cluster analysis;
extracting the characteristic attribute of the normal data set according to the characteristic attribute standard required by the multi-branch tree to obtain a first characteristic attribute;
and constructing the self-set by taking the first characteristic attribute as a main attribute of each layer of node in the multi-branch tree storage structure.
Further, the model training method further comprises:
extracting the characteristic attribute of the abnormal data set according to the characteristic attribute standard required by the multi-branch tree to obtain a second characteristic attribute;
constructing the non-self set by taking the second characteristic attribute as a main attribute of each layer of node in the multi-branch tree storage structure;
training the immunodetector using the autologous set and the non-autologous set.
Further, the training of the immunodetector using the autologous set and the non-autologous set includes:
using the parameters of the immune detector as antibodies and the data in the autologous set and the non-autologous set as antigens;
executing a plurality of rounds of iteration processes until the total number of rounds of the executed iteration processes reaches a round number threshold value; matching the antibody and the antigen in one iteration process to obtain affinity; storing the parameters of the immune detector when the affinity exceeds an affinity threshold, otherwise altering the parameters of the immune detector.
On the other hand, the embodiment of the present invention further includes an API request filtering method, where the API request filtering method includes:
acquiring second API request data;
detecting the second API request data using an immune detector; the immunity detector is trained by a model training method in an embodiment;
obtaining a detection result of the immunity detector;
identifying the second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
when the second API request data are identified to be normal requests, responding to the second API request data; and when the second API request data are identified to be abnormal requests, rejecting or ignoring the second API request data.
On the other hand, the embodiment of the present invention further includes an API request filtering method, where the API request filtering method includes:
acquiring a plurality of second API request data;
sorting each second API request data based on a probability queue;
sequentially detecting each second API request data by using an immunity detector according to the sequence of each second API request data after sequencing; the immunity detector is trained by a model training method in an embodiment;
obtaining a detection result of the immunity detector;
identifying each second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
rejecting or ignoring the second API request data identified as a normal request in response to the second API request data identified as a normal request.
In another aspect, embodiments of the present invention further include a computer apparatus including a memory for storing at least one program and a processor for loading the at least one program to perform a model training method and/or an API request filtering method in an embodiment.
In another aspect, embodiments of the present invention also include a storage medium in which a processor-executable program is stored, the processor-executable program being configured to perform the model training method and/or the API request filtering method in the embodiments when executed by a processor.
The invention has the beneficial effects that: the immunodetector trained by the model training method in the embodiment has high detection speed and accuracy for detecting the dangerous injection information carried in the API request, can identify the input API request as an abnormal request when the input API request carries the dangerous injection information, and can identify the input API request as a normal request when the input API request does not carry the dangerous injection information, so that when the API request filtering method in the embodiment is executed, the immunodetector can accurately detect abnormal or illegal API requests such as various SQL injections, XSS attacks, Cookie injections and the like in real time, and uniform, safe and reliable guarantee service can be provided.
Drawings
FIG. 1 is a flow chart of a model training method in an embodiment;
FIG. 2 is a schematic diagram of a model training method in an embodiment;
FIG. 3 is a flowchart of a first embodiment of a method for API request filtering in an embodiment;
FIG. 4 is a flowchart of a second embodiment of the API request filtering method in the embodiment;
FIG. 5 is a flowchart illustrating the overall execution of the model training method and the API request filtering method according to an embodiment;
FIG. 6 is a block diagram of a system for performing an API request filtering method in an embodiment;
fig. 7 is a structural diagram of a gateway server in the embodiment.
Detailed Description
In this embodiment, referring to fig. 1, the model training method includes the following steps:
p1, collecting a plurality of first API request data;
p2, carrying out standardized format processing on each first API request data to obtain a training sample set;
p3, classifying and constructing the training sample set according to characteristics to obtain an autologous set;
p4, obtaining an immunity detector;
p5. the immune detector is trained using self-assembly.
The principle of the steps P1-P5 is shown in FIG. 2. In step P1, gateway devices are configured between the application end and the database server, and a plurality of first API request data may be acquired by capturing and analyzing an accessed traffic packet by using the gateway devices and using the request data of the gateway, where some of the first API request data are normal requests input by a user, and some of the first API request data are different types of illegal injection requests, such as http requests, http request header parameter injection (Cookie injection and XSS injection), and base64 injection, input by an illegal person, and format information of attack statements is acquired according to the format of the analyzed data message.
In step P1, a crawler program may also be run to actively crawl the injection cases and extract the first API request data from the injection cases. The first API request data can be kept updated by running the crawler to obtain the first API request data.
When the step P2 is executed, that is, the step of performing standardized format processing on each first API request data to obtain the training sample set, the following steps may be specifically executed:
p201, processing the first API request data by using a special character separation method and a space separation method to obtain first characteristic information;
p202, marking the first characteristic information to obtain token information;
p203. building the token information into an attack sentence syntax tree;
and P204, forming a training sample set by using the attack statement syntax tree.
In step P201, the special character separation method and the space separation method may be used to extract feature information from the first API request data, where the extracted feature information is the first feature information.
In step P202, the first feature information extracted in step P201 is labeled (Token), which is an atomization process, so that the smallest character unit in the first feature information also has Token (also called Token information) with a specific meaning, each Token forms feature vectors in a specific order, the feature vectors with a length smaller than a denoising threshold are filtered, and the feature vectors are subjected to processing such as deduplication, character string splitting and merging; in step P203, an attack sentence syntax tree is formed based on the feature vectors formed by these tokens, and the formed attack sentence syntax tree constitutes a training sample set, i.e., the formatted data shown in fig. 2, in step P204.
When the step P3 is executed, that is, the training sample set is classified and constructed according to features to obtain an autologous set, the following steps may be specifically executed:
p301, carrying out naive Bayes cluster analysis on the training sample set, and classifying the contents in the training sample set into a normal data set or an abnormal data set according to the result of the naive Bayes cluster analysis;
p302, according to the characteristic attribute standard required by the multi-branch tree, performing characteristic attribute extraction on the normal data set to obtain a first characteristic attribute;
and P303, constructing a self set by taking the first characteristic attribute as a main attribute of each layer of nodes in the multi-branch tree storage structure.
Referring to fig. 2, in step P301, a naive bayes cluster analysis is performed on the training sample set (i.e., the formatted data in fig. 2), and the contents in the training sample set are classified into a normal data set or an abnormal data set through the naive bayes cluster analysis.
In step P302, a multi-branch tree classification mapping technique is used, which is to perform secondary feature attribute extraction on data subjected to naive bayes cluster analysis by using a storage structure of a multi-branch tree according to a feature attribute standard required by the multi-branch tree, and convert the data into feature attributes required for constructing the multi-branch tree. Specifically, according to a characteristic attribute standard required by a multi-branch tree, extracting characteristic attributes of a normal data set to obtain a first characteristic attribute; in addition, feature attribute extraction can be performed on the abnormal data set according to a feature attribute standard required by the multi-branch tree to obtain a second feature attribute.
In step P303, the self-body set is constructed by using the first characteristic attribute obtained in step P302 as the main attribute of each layer of node in the multi-branch tree storage structure, and the non-self-body set is constructed by using the second characteristic attribute obtained in step P302 as the main attribute of each layer of node in the multi-branch tree storage structure.
In this example, an immune theory is introduced, and an autologous set and/or a non-autologous set are used to train the sample of the immune detector. The concept of the immune theory is as follows:
(1) autologous/non-autologous set. The immunity detector to be trained in this embodiment can be used for detecting illegal service requests, and the non-self set obtained by executing steps P301 to P303 contains service attack request data information, and the self set contains normal service request information. Let the problem domain be X ∈ {0,1} (0 denotes normal, 1 denotes abnormal), which contains two subsets: the self-set O and the non-self-set F, wherein OF is S, and O ═ F is Θ, where S represents morphology space and Θ represents empty set.
(2) Antibodies and antigens. The immune detector to be trained in this embodiment can be used for illegal service request detection, and the service request information includes a plurality of attribute features, which are mapped into a real number range, and each service request data is corresponding to a d-dimensional vector. Each component of the d-dimensional vector represents a measure of its corresponding service request data, and each component can also be considered as a gene.
(3) And (4) affinity. The mechanism of immune recognition is achieved by the degree of binding of an epitope to an antibody epitope, which is expressed as the concept of affinity in artificial immunization methods. Affinity is a measure of the closeness of an antigen to an antibody.
In step P4, the immunodetector is set up by reading initial parameters of the immunodetector.
In step P5, the immunodetector is trained using self-assembly. Since the principle of training the immunodetector using non-self-assembly is similar to the principle of training the immunodetector using self-assembly, step P5 will be described only for the process of training the immunodetector using both self-assembly and non-self-assembly.
When performing step P5, i.e. the step of training the immunodetector using autologous sets and non-autologous sets, the following steps may be performed:
p501, using the parameters of the immune detector as antibodies, and using the data in the autologous set and the non-autologous set as antigens;
p502, executing a plurality of rounds of iterative processes until the total number of rounds of the executed iterative processes reaches a round number threshold; in a round of iteration process, matching the antibody and the antigen to obtain affinity; storing the parameters of the immune detector when the affinity exceeds an affinity threshold, and otherwise altering the parameters of the immune detector.
When steps P501-P502 are to be performed using a computer program, the flow to be performed by the computer program is as follows:
(1) initializing plug-in package types, traversing loads
(2) Initially completing SQL, XSS and Cookie plug-in package loading, and completing secondary characteristic attribute extraction of request data
(3) The secondary attribute extraction of other request data is completed by loading the plug-in package
(4) Read signature comparison
(5) Matching with an immunity detector, calculating affinity, performing immune evolution algebraic judgment, and storing as an experience threshold when reaching a preset threshold
(6) Circulating the steps 1-5, learning and perfecting the matching library
From the above-described flow, it can be determined that the specific model algorithm of the computer program for executing steps P501-P502 is as follows:
(1) inputting:
initial set of detectors: ImDetecors [ ]
Original data attribute value vector set: originmetricvvalues [ ]
Thirdly, the classified secondary data characteristic attribute value vector group: MetricValues [ ]
Affinity threshold: AffinityThreshold
Immunity evolution generation: iteration
Sixthly, the periodic learning period is as follows: t is
(2) The algorithm is as follows:
i Init Iteration 100/initial set evolution algebra 100
② Init affinity threshold 100// initial set affinity threshold 100
(iii) MetricValues [ ] ═ initWithPluginPackage (originMetricValues)// data classification and secondary feature attribute extraction are completed according to the plug-in package, i.e. the process of steps P301-P303
④While true do
⑤For(MetricValue val:MetricValues){
Sixthly, matching affinityresultr (ImDedetectors [ val.type ], val)// corresponding detectors according to the type of the classified data to obtain an affinity result
If the Iteration algebra is reached, and the affinity result exceeds a preset threshold value
Eighthly updatedetectors (affinitesult, ImDetectors [ val.type ])// store perfection of the corresponding detector
⑨}
Increment of r + +// evolution algebra
11}
12Wait(T)
13End while
And (4) according to the model, simulating and training the immune detector under different types of first API request data through multiple rounds of learning iteration. Because a naive Bayesian classification model and an immune detector based on machine learning are adopted to carry out a secondary feature matching model in the training process of the steps P501-P502, compared with other detection models, the immune detector trained in the steps P501-P502 has higher detection speed and accuracy for detecting the danger injection information carried in the API request, when the input API request carries the danger injection information, the input API request can be identified as an abnormal request, and when the input API request does not carry the danger injection information, the input API request can be identified as a normal request, so that the immune detector trained in the steps P1-P5 can accurately detect abnormal or illegal API requests such as various SQL injections, XSS attacks, Cookie injections and the like in real time, and uniform, safe and reliable guarantee service is provided.
The API requests which conform to the grammars such as SQL injection, XSS attack, Cookie attack and the like including http requests, http headers and the like can be actively generated, and the actively generated API requests are input to the immunity detector trained through the steps P1-P5, so that the system robustness of the immunity detector is tested.
The API request filtering method may be performed using an immunodetector trained through steps P1-P5.
Referring to FIG. 3, one API request filtering method that may be performed using the immunodetector trained through steps P1-P5 includes the steps of:
S1A, acquiring second API request data;
S2A, detecting second API request data by using an immune detector;
S3A, obtaining a detection result of the immunity detector;
S4A, identifying the second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
S5A, when the second API request data are identified as normal requests, responding to the second API request data; and when the second API request data is identified as an abnormal request, rejecting or ignoring the second API request data.
Steps S1A-S5A may be used for processing of a single API request data. In step S1A, a gateway device is configured between the application end and the database server, and a second API request data may be acquired by using the gateway device to capture and analyze an accessed traffic packet and using the request data of the gateway, where the second API request data may be a normal request input by a user or may be different types of illegal injection requests, such as an http request, http request header parameter injection (Cookie injection and XSS injection), and base64 injection, input by an illegal person, and the second API request data may be detected and determined by an immune detector.
In steps S2A-S4A, the second API request data is input to the immunodetector, the immunodetector detects the second API request data, and the obtained detection result indicates that the second API request data is a normal request or the second API request data is an abnormal request.
In step S5A, if the gateway device recognizes that the second API request data is a normal request, the gateway device may respond to the second API request data, specifically, the gateway device may release the second API request data, so that the second API request data can reach the next node, or the gateway device performs a corresponding access operation in response to the request of the second API request data. If the gateway device recognizes that the second API request data is an abnormal request, the gateway device may reject or ignore the second API request data, and specifically, the gateway device may not release the second API request data, so that the second API request data cannot reach a next node, and the second API request data cannot trigger the gateway device and a related node to perform a corresponding operation, and the like, thereby achieving a filtering effect on an illegal API request.
Referring to FIG. 4, another API request filtering method that may be performed using the immunodetector trained through steps P1-P5 includes the steps of:
S1B, acquiring a plurality of second API request data;
S2B, sequencing the request data of each second API based on a probability queue;
S3B, sequentially detecting the second API request data by using an immunity detector according to the sequence of the sequenced second API request data;
S4B, obtaining a detection result of the immunity detector;
S5B, identifying each second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
s6b. in response to the second API request data being identified as a normal request, rejecting or ignoring the second API request data being identified as a normal request.
Steps S1B-S6B may be used to process multiple API request data acquired simultaneously.
Step S1B is the same principle as step S1A, except that step S1A acquires one second API request data, and step S1B acquires a plurality of second API request data.
In step S2B, the second API request data are sorted based on the probability queue, so that each second API request data has its corresponding order. In step S3B, the immunodetector is used to sequentially detect the second API request data in the order of the sorted second API request data, and the principle of the immunodetector detecting the second API request data is the same as that in step S2A.
In step S4B, since the immunodetector inputs and detects a plurality of second API request data, the immunodetector outputs a plurality of detection results, each indicating whether the corresponding second API request data belongs to a normal request or an abnormal request. The principle of step S6B is the same as that of step S5A, and for the second API request data identified as normal requests, the gateway device may pass through these second API request data, enable these second API request data to reach the next node, or perform corresponding access operations in response to the requests of these second API request data. For the second API request data identified as the abnormal request, the gateway device may reject or ignore the second API request data, and specifically, the gateway device may not release the second API request data, so that the second API request data cannot reach the next node, and the second API request data cannot trigger the gateway device and the related node to perform corresponding operations, and the like, thereby achieving a filtering effect on the illegal API request.
Through the sequencing based on the probability queue of the second API request data in the steps S2B and S3B, the second API request data are sequentially detected by using the immune detector according to the sequence of the sequenced second API request data, the characteristic that the probability that each second API request data is matched is different is considered, the matching speed can be improved under the condition that a plurality of second API request data are massively concurrent and the plurality of second API request data need to be detected, and therefore the detection and filtering efficiency of illegal API requests is improved.
When the steps P1-P5 are executed as a whole with the steps S1A-S5A, or the steps P1-P5 are executed as a whole with the steps S1B-S6B, the whole flow is as shown in FIG. 5. In fig. 5, according to the newly discovered security hole, a new and more efficient algorithm library is introduced as a plug-in package, dynamically deployed into the context environment of the gateway call chain through a Groovy script, and loaded and validated in real time.
The API request filtering method in this embodiment may be implemented by using the system shown in fig. 6, where the core of the system is a gateway server, which is an API gateway, and becomes an anti-attack filter by running the API request filtering method in this embodiment. The gateway server side constructs an immunity detector with an interception library through training of a machine learning model, and API request information from an application or a client side may or may not contain sensitive words. The gateway server detects API request information from an application or a client, filters illegal API request information in the API request information, such as API request information containing sensitive words, and only sends the legal API request information to the service server.
The structure of the gateway server in fig. 6 may be as shown in fig. 7. Referring to fig. 7, the gateway server includes network traffic control, API request filter, and security access control capabilities. The API request filter constructs SQL, XSS and Cookie detectors in a Groovy plug-in package mode, realizes filtering strategy configuration of API requests and responses in a hot deployment mode, and supports assembly based on a plug-in package filtering chain.
The service gateway supports SQL injection prevention, XSS cross-site attack prevention, Cookie injection prevention and the like by providing dynamic and static strategy configuration. The operation and maintenance personnel configure keywords or expressions of dangerous SQL (structured query language) or dangerous scripts (XSS cross-site attack prevention) aiming at the whole situation or the interface through the operation and maintenance person view, identify whether the message carries dangerous keywords or not through adding a filter, and intercept dangerous requests.
Referring to fig. 7, peripheral functions such as a capability integrated management console are also configured for the gateway server. The management console is designed as a Web end and is provided with a developer view (a unified service entrance provided for the developer and providing functions of user management, application management, capability directory, statistical query, help center and the like for the developer), an operation and maintenance view (an operation and maintenance person can manage application, capability, API, configuration, monitoring, resources, safety and the like of a management system through the view and ensure normal operation of an API capability open platform), and an operator view (a unified entrance provided for operation management personnel of the capability open platform and providing management functions of developer management, application management, capability management, statistical query, system security management, agency audit management, announcement management, service management, system management, log management and monitoring management for the operator and a one-stop-type flow operation and maintenance management service entrance view).
By operating the gateway server shown in fig. 7, the system shown in fig. 6 can work to execute the API request filtering method in this embodiment, thereby achieving the technical effect of the API request filtering method in this embodiment.
The same technical effects as those of the model training method and the API request filtering method in the embodiments can be achieved by writing a computer program for executing the model training method and the API request filtering method in the embodiments, writing the computer program into a computer device or a storage medium, and executing the model training method and the API request filtering method in the embodiments when the computer program is read out to run.
It should be noted that, unless otherwise specified, when a feature is referred to as being "fixed" or "connected" to another feature, it may be directly fixed or connected to the other feature or indirectly fixed or connected to the other feature. Furthermore, the descriptions of upper, lower, left, right, etc. used in the present disclosure are only relative to the mutual positional relationship of the constituent parts of the present disclosure in the drawings. As used in this disclosure, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. In addition, unless defined otherwise, all technical and scientific terms used in this example have the same meaning as commonly understood by one of ordinary skill in the art. The terminology used in the description of the embodiments herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this embodiment, the term "and/or" includes any combination of one or more of the associated listed items.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element of the same type from another. For example, a first element could be termed a second element, and, similarly, a second element could be termed a first element, without departing from the scope of the present disclosure. The use of any and all examples, or exemplary language ("e.g.," such as "or the like") provided with this embodiment is intended merely to better illuminate embodiments of the invention and does not pose a limitation on the scope of the invention unless otherwise claimed.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, operations of processes described in this embodiment can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described in this embodiment (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the method may be implemented in any type of computing platform operatively connected to a suitable interface, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be embodied in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated into a computing platform, such as a hard disk, optically read and/or write storage medium, RAM, ROM, or the like, such that it may be read by a programmable computer, which when read by the storage medium or device, is operative to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described in this embodiment includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
A computer program can be applied to input data to perform the functions described in the present embodiment to convert the input data to generate output data that is stored to a non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
The above description is only a preferred embodiment of the present invention, and the present invention is not limited to the above embodiment, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention as long as the technical effects of the present invention are achieved by the same means. The invention is capable of other modifications and variations in its technical solution and/or its implementation, within the scope of protection of the invention.
Claims (10)
1. A model training method, characterized in that the model training method comprises:
collecting a plurality of first API request data;
carrying out standardized format processing on each first API request data to obtain a training sample set;
classifying and constructing the training sample set according to characteristics to obtain an autologous set;
obtaining an immunodetector;
training the immunodetector using the self-assembly.
2. The model training method of claim 1, wherein said collecting a plurality of first API request data comprises:
actively crawling the injection case through a crawler program;
extracting the first API request data from the injection case.
3. The model training method of claim 1, wherein the subjecting the first API request data to standardized format processing to obtain a training sample set comprises:
processing the first API request data by using a special character separation method and a space separation method to obtain first characteristic information;
marking the first characteristic information to obtain token information;
constructing the token information into an attack sentence syntax tree;
and composing the training sample set by the attack sentence grammar tree.
4. The model training method according to claim 1, wherein the classifying and constructing the training sample set according to features to obtain an auto-set comprises:
carrying out naive Bayes cluster analysis on the training sample set, and classifying the contents in the training sample set into a normal data set or an abnormal data set according to the result of the naive Bayes cluster analysis;
extracting the characteristic attribute of the normal data set according to the characteristic attribute standard required by the multi-branch tree to obtain a first characteristic attribute;
and constructing the self-set by taking the first characteristic attribute as a main attribute of each layer of node in the multi-branch tree storage structure.
5. The model training method of claim 4, further comprising:
extracting the characteristic attribute of the abnormal data set according to the characteristic attribute standard required by the multi-branch tree to obtain a second characteristic attribute;
constructing the non-self set by taking the second characteristic attribute as a main attribute of each layer of node in the multi-branch tree storage structure; training the immunodetector using the autologous set and the non-autologous set.
6. The model training method of claim 5, wherein the training the immunodetector using the autologous set and the non-autologous set comprises:
using the parameters of the immune detector as antibodies and the data in the autologous set and the non-autologous set as antigens;
executing a plurality of rounds of iteration processes until the total number of rounds of the executed iteration processes reaches a round number threshold value; matching the antibody and the antigen in one iteration process to obtain affinity; storing the parameters of the immune detector when the affinity exceeds an affinity threshold, otherwise altering the parameters of the immune detector.
7. An API request filtering method, characterized in that the API request filtering method comprises:
acquiring second API request data;
detecting the second API request data using an immune detector; the immunodetector is trained by the model training method of any one of claims 1 to 6;
obtaining a detection result of the immunity detector;
identifying the second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
when the second API request data are identified to be normal requests, responding to the second API request data; and when the second API request data are identified to be abnormal requests, rejecting or ignoring the second API request data.
8. An API request filtering method, characterized in that the API request filtering method comprises:
acquiring a plurality of second API request data;
sorting each second API request data based on a probability queue;
sequentially detecting each second API request data by using an immunity detector according to the sequence of each second API request data after sequencing; the immunodetector is trained by the model training method of any one of claims 1 to 6;
obtaining a detection result of the immunity detector;
identifying each second API request data as a normal request or an abnormal request according to the detection result of the immunity detector;
rejecting or ignoring the second API request data identified as a normal request in response to the second API request data identified as a normal request.
9. A computer apparatus comprising a memory for storing at least one program and a processor for loading the at least one program to perform the model training method of any one of claims 1-6 and/or the API request filtering method of any one of claims 7-8.
10. A storage medium having stored therein a processor-executable program, wherein the processor-executable program, when executed by a processor, is configured to perform the model training method of any one of claims 1 to 6 and/or the API request filtering method of any one of claims 7 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111627427.0A CN114372519A (en) | 2021-12-28 | 2021-12-28 | Model training method, API request filtering method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111627427.0A CN114372519A (en) | 2021-12-28 | 2021-12-28 | Model training method, API request filtering method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114372519A true CN114372519A (en) | 2022-04-19 |
Family
ID=81141521
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111627427.0A Pending CN114372519A (en) | 2021-12-28 | 2021-12-28 | Model training method, API request filtering method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114372519A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208801A (en) * | 2022-05-27 | 2022-10-18 | 奇安信科技集团股份有限公司 | API (application program interface) collaborative identification method and device, electronic equipment, medium and product |
| CN116155628A (en) * | 2023-04-20 | 2023-05-23 | 中国工商银行股份有限公司 | Network security detection method, training device, electronic equipment and medium |
-
2021
- 2021-12-28 CN CN202111627427.0A patent/CN114372519A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115208801A (en) * | 2022-05-27 | 2022-10-18 | 奇安信科技集团股份有限公司 | API (application program interface) collaborative identification method and device, electronic equipment, medium and product |
| CN116155628A (en) * | 2023-04-20 | 2023-05-23 | 中国工商银行股份有限公司 | Network security detection method, training device, electronic equipment and medium |
| CN116155628B (en) * | 2023-04-20 | 2023-07-18 | 中国工商银行股份有限公司 | Network security detection method, training device, electronic equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114077741B (en) | Software supply chain safety detection method and device, electronic equipment and storage medium | |
| Sadeghi et al. | Analysis of android inter-app security vulnerabilities using covert | |
| Medeiros et al. | Software metrics as indicators of security vulnerabilities | |
| CN111611586A (en) | Software vulnerability detection method and device based on graph convolution network | |
| CN114372519A (en) | Model training method, API request filtering method, device and storage medium | |
| Saccente et al. | Project achilles: A prototype tool for static method-level vulnerability detection of Java source code using a recurrent neural network | |
| WO2017152877A1 (en) | Network threat event evaluation method and apparatus | |
| CN107341371A (en) | A kind of script control method suitable for web configurations | |
| CN104504334A (en) | System and method used for evaluating selectivity of classification rules | |
| Bernardi et al. | A fuzzy-based process mining approach for dynamic malware detection | |
| RU148692U1 (en) | COMPUTER SECURITY EVENTS MONITORING SYSTEM | |
| CN114024761B (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| CN108959922B (en) | Malicious document detection method and device based on Bayesian network | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| Pranav et al. | Detection of botnets in IoT networks using graph theory and machine learning | |
| CN112287345A (en) | Credible edge computing system based on intelligent risk detection | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| Chen et al. | Building machine learning-based threat hunting system from scratch | |
| CN114205146B (en) | Processing method and device for multi-source heterogeneous security log | |
| CN109299610A (en) | Dangerous sensitizing input verifies recognition methods in Android system | |
| CN111740976A (en) | Network security discrimination and study system and method | |
| Belhadj-Aissa et al. | A new classification process for network anomaly detection based on negative selection mechanism | |
| Patil et al. | Impact of PCA Feature Extraction Method used in Malware Detection for Security Enhancement | |
| Awodiji et al. | Malicious Malware Detection Using Machine Learning Perspectives | |
| CN116991680B (en) | Log noise reduction method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |