CN106209845A - A kind of malicious HTTP based on Bayesian Learning Theory request decision method - Google Patents

A kind of malicious HTTP based on Bayesian Learning Theory request decision method Download PDF

Info

Publication number
CN106209845A
CN106209845A CN201610546795.5A CN201610546795A CN106209845A CN 106209845 A CN106209845 A CN 106209845A CN 201610546795 A CN201610546795 A CN 201610546795A CN 106209845 A CN106209845 A CN 106209845A
Authority
CN
China
Prior art keywords
http request
sample
request
value
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610546795.5A
Other languages
Chinese (zh)
Inventor
何清林
马秀娟
张家琦
王子厚
王大伟
朱佳伟
刘培朋
王维晟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201610546795.5A priority Critical patent/CN106209845A/en
Publication of CN106209845A publication Critical patent/CN106209845A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The invention discloses a kind of malicious HTTP based on Bayesian Learning Theory request decision method, it is as follows that the method comprising the steps of: collects normal HTTP request and the malicious HTTP request setting quantity;The normal HTTP request collected and malicious HTTP request are respectively processed acquisition sample set, sample in sample set includes sample class and sample characteristics space: inputted as training set by sample set, Bayes's classification learning algorithm, study is utilized to obtain a quadratic classifier;To HTTP request to be determined, extract and judge feature, it is thus achieved that judge feature space, utilize in quadratic classifier and be predicted, judgement is the HTTP request of malice or normal HTTP request, and is that HTTP request to be determined adds label with result of determination, is derived from result of determination.The method can interpolate that the request of malice when the HTTP request that subscriber terminal side is initiated or normal request.

Description

A kind of malicious HTTP based on Bayesian Learning Theory request decision method
Technical field
The invention belongs to technical field of network security, being specifically related to a kind of malicious HTTP based on Bayesian Learning Theory please Seek decision method.
Background technology
Due to standard and the suitability of http protocol, in addition to common web site class service, the most emerging is various Mobile applications APP also begins to use http protocol to carry out data communication.A lot of application is had all to pass through the most resident backstage Mode, from trend service end send HTTP request message transmission data.If malicious application, these HTTP request can relate to To stealing privacy of user, the malicious act such as corpse wooden horse message propagation.
HTTP request is to survey, from user's direction finding service end, the message initiated, and generally uses HTTP GET mode or HTTP POST mode.For HTTP GET method, request message is as follows:
“/domain-name/demo_form.jsp?Name1=value1&name2=value2 "
For POST method, request message is as follows:
" POST/test/demo_form.jsp HTTP/1.1, Host:w3schools.com
Name1=value1&name2=value2 ".
From learning above, no matter it is HTTP GET request, or HTTP POST request, request all contain similar " name=value " field, these fields are the fields that application program oneself adds, and application program is exactly based on these fields Transmit the content of user side.This field is to judge the key point whether HTTP request is malicious act.
How to go to judge normal still malice when the HTTP request that user side sends, be a skill needing to solve An art difficult problem, whether the present invention proposes a kind of method based on bayesian theory, it is possible to be that malicious act is carried out to HTTP request Automatic Prediction and judgement.The method is based primarily upon Bayesian learning category theory, and this theory is applied to spam mistake The application such as filter.Bayes principle is a kind of ultimate principle of Probability, and full probability theory theoretical according to conditional probability, uses priori Probability judges posterior probability.
Summary of the invention
In view of this, the invention provides a kind of malicious HTTP based on Bayesian Learning Theory request decision method, energy Enough requests judging malice when the HTTP request that subscriber terminal side is initiated or normal request.
In order to achieve the above object, the technical scheme is that a kind of malicious HTTP based on Bayesian Learning Theory Request decision method, it is as follows that the method comprising the steps of:
S1, the normal HTTP request collecting setting quantity and malicious HTTP request.
S2, the normal HTTP request collected and malicious HTTP request are carried out the process of following S2.1~S2.4 respectively, with This obtains sample set, particularly as follows:
S2.1, the HTTP request collected is carried out manual tag classification, if normal HTTP request, then stamp mark Sign 0, if the HTTP request of malice, the most tagged 1.
S2.2, to all HTTP request collected, extract " value " word in " name=value " therein field Identifier value information, " value " character occurred in all HTTP request in sample set is as feature space.
S2.3, using each HTTP request as a sample, form sample set, sample includes that sample class and sample are special Levy space:
The classification of sample is the label that in S2.1, handmarking is good, is 0 or 1.
Sample characteristics space is the feature space in S2.2, and by sample characteristics space to should sample occur The field mark of all " value " character values is 1, is otherwise designated as 0.
S3, being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study obtains One quadratic classifier.
S4, to HTTP request to be determined, extract and judge feature, it is determined that characteristic extraction procedure is as follows: set up with in S2.2 The consistent judgement feature space of feature space, the equal initial markers of the most all fields is 0, then by HTTP request to be determined Middle all " value " character value corresponding field occurred are updated to 1, and it is constant that other remain 0.
S5, the HTTP request to be determined in S4 is put in the quadratic classifier in S3 it is predicted, it is determined that be malice HTTP request or normal HTTP request, and be that HTTP request to be determined adds label with result of determination, be derived from Result of determination.
Further, in S5, it is thus achieved that after result of determination, result of determination will with the addition of the HTTP to be determined of label Request, joins in training set as new sample, repeats step S2 and S3, updates quadratic classifier, until grader is stable.
Beneficial effect:
The method is based on Bayesian learning category theory, according to " name=value " field in known classification HTTP request Whether the probability learning occurred is malicious HTTP request, then extracts " name=value " field in unfiled HTTP request Information, judges the request the most maliciously of this HTTP request, and the method can quickly and accurately judge whether HTTP request dislikes Meaning.
Detailed description of the invention
Name embodiment, describe the present invention.
Whether the present invention proposes a kind of method based on bayesian theory, it is possible to be that malicious act is carried out to HTTP request Automatic Prediction and judgement.The method is based primarily upon Bayesian learning category theory, and this theory is applied to spam mistake The application such as filter.Bayes principle is a kind of ultimate principle of Probability, and full probability theory theoretical according to conditional probability, uses priori Probability judges posterior probability.Whether the probability learning occurred according to " name=value " field in known classification HTTP request It is malicious HTTP request, then extracts " name=value " field information in unfiled HTTP request, judge that this HTTP please The request of the no malice of Seeking Truth.It is as follows that the method comprising the steps of:
First a number of normal HTTP request and malicious HTTP request are collected;
S2. the HTTP request collected labelled and extracts feature, inputting as training set;
Wherein, S2 also comprises the steps:
First S2.1 carries out manual tag classification to the HTTP request collected, if normal HTTP request, then beats Upper label 0, if the HTTP request of malice, the most tagged 1;
S2.2, to all HTTP request collected, extracts " value " character in " name=value " therein field Value information, using " value " character of being occurred as feature space;
S2.3 is using each HTTP request as a sample, and the classification of sample is the mark that in S2.1, handmarking is good Sign, be 0 or 1;The feature space of sample is the feature space in S2.2: if certain " value " character value in this sample Occurred, be then 1 by this feature field mark, be otherwise designated as 0;
The HTTP request sample that each is collected by S2.4 inputs as training set;
S3. being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study is to one Individual quadratic classifier;
S4. the HTTP request judged needs, first extracts and calculates feature, prepares to start in advance as a sample Survey.Feature calculation process is as follows: using the feature space in S2.2 as feature space, is all labeled as 0, extracts this HTTP request " value " character value in middle all " name=value " occurred, by these " value " character value characteristics of correspondence more Being newly 1, it is constant that other remain 0;
S5. the sample to be predicted in S4 is put into S3 learning to quadratic classifier in be predicted, it is determined whether be The HTTP request of malice or normal HTTP request;
S6. the sample will predicted in S5, selective manually judge confirm after, join training as new sample Concentrating, repeat step S2, the content of S3, strengthening grader study, until grader is stable.
To sum up, these are only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement etc. made, should be included in the protection of the present invention Within the scope of.

Claims (2)

1. malicious HTTP based on a Bayesian Learning Theory request decision method, it is characterised in that the method comprising the steps of As follows:
S1, the normal HTTP request collecting setting quantity and malicious HTTP request;
S2, the normal HTTP request collected and malicious HTTP request are carried out the process of following S2.1~S2.4 respectively, obtain with this Obtain sample set, particularly as follows:
S2.1, the HTTP request collected is carried out manual tag classification, if normal HTTP request, the most tagged 0, If the HTTP request of malice, the most tagged 1;
S2.2, to all HTTP request collected, extract " value " character value in " name=value " therein field Information, " value " character occurred in all HTTP request in sample set is as feature space;
S2.3, using each HTTP request as a sample, form sample set, sample includes that sample class and sample characteristics are empty Between:
The classification of sample is the label that in S2.1, handmarking is good, is 0 or 1;
Sample characteristics space is the feature space in S2.2, and by all to should sample occur in sample characteristics space The field mark of " value " character value is 1, is otherwise designated as 0;
S3, being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study obtains one Quadratic classifier;
S4, to HTTP request to be determined, extract and judge feature, it is determined that characteristic extraction procedure is as follows: set up and the spy in S2.2 Levying the judgement feature space that space is consistent, the equal initial markers of the most all fields is 0, then will go out in HTTP request to be determined All " value " the character value corresponding field now crossed are updated to 1, and it is constant that other remain 0;
S5, the HTTP request to be determined in S4 is put in the quadratic classifier in S3 it is predicted, it is determined that be malice HTTP request or normal HTTP request, and be that HTTP request to be determined adds label with result of determination, it is derived from sentencing Determine result.
A kind of malicious HTTP based on Bayesian Learning Theory request decision method, its feature exists In, in described S5, it is thus achieved that after result of determination, result of determination will with the addition of the HTTP request to be determined of label, as New sample joins in training set, repeats step S2 and S3, updates quadratic classifier, until grader is stable.
CN201610546795.5A 2016-07-12 2016-07-12 A kind of malicious HTTP based on Bayesian Learning Theory request decision method Pending CN106209845A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610546795.5A CN106209845A (en) 2016-07-12 2016-07-12 A kind of malicious HTTP based on Bayesian Learning Theory request decision method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610546795.5A CN106209845A (en) 2016-07-12 2016-07-12 A kind of malicious HTTP based on Bayesian Learning Theory request decision method

Publications (1)

Publication Number Publication Date
CN106209845A true CN106209845A (en) 2016-12-07

Family

ID=57476516

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610546795.5A Pending CN106209845A (en) 2016-07-12 2016-07-12 A kind of malicious HTTP based on Bayesian Learning Theory request decision method

Country Status (1)

Country Link
CN (1) CN106209845A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616498A (en) * 2018-02-24 2018-10-02 国家计算机网络与信息安全管理中心 A kind of web access exceptions detection method and device
CN110912888A (en) * 2019-11-22 2020-03-24 上海交通大学 Malicious HTTP (hyper text transport protocol) traffic detection system and method based on deep learning

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
CN103401835A (en) * 2013-07-01 2013-11-20 北京奇虎科技有限公司 Method and device for presenting safety detection results of microblog page
US20140310808A1 (en) * 2009-03-13 2014-10-16 Danfeng YAO Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery
CN104125209A (en) * 2014-01-03 2014-10-29 腾讯科技(深圳)有限公司 Malicious website prompt method and router
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN105516196A (en) * 2016-01-19 2016-04-20 国家计算机网络与信息安全管理中心江苏分中心 HTTP message data-based parallelization network anomaly detection method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140310808A1 (en) * 2009-03-13 2014-10-16 Danfeng YAO Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery
CN101702660A (en) * 2009-11-12 2010-05-05 中国科学院计算技术研究所 Abnormal domain name detection method and system
CN103401835A (en) * 2013-07-01 2013-11-20 北京奇虎科技有限公司 Method and device for presenting safety detection results of microblog page
CN104519031A (en) * 2013-09-30 2015-04-15 西门子公司 Method and device for detecting malicious network behaviors
CN104125209A (en) * 2014-01-03 2014-10-29 腾讯科技(深圳)有限公司 Malicious website prompt method and router
CN105516196A (en) * 2016-01-19 2016-04-20 国家计算机网络与信息安全管理中心江苏分中心 HTTP message data-based parallelization network anomaly detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
何苗: ""基于机器学习的移动数据安全检测技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108616498A (en) * 2018-02-24 2018-10-02 国家计算机网络与信息安全管理中心 A kind of web access exceptions detection method and device
CN110912888A (en) * 2019-11-22 2020-03-24 上海交通大学 Malicious HTTP (hyper text transport protocol) traffic detection system and method based on deep learning

Similar Documents

Publication Publication Date Title
US20170193386A1 (en) Website address identification method and apparatus
CN109495467B (en) Method and device for updating interception rule and computer readable storage medium
CN103516586B (en) A kind of online user behavior analysis system of instantaneous communication system
CN106295349A (en) Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen
CN109213781B (en) Wind control data query method and device
CN102368853B (en) Communication event processing method and system thereof
CN105321108A (en) System and method for creating a list of shared information on a peer-to-peer network
CN107889082A (en) A kind of D2D method for discovering equipment using social networks between user
CN104954372A (en) Method and system for performing evidence acquisition and verification on phishing website
CN110110509A (en) Right management method and Related product
CN105376223B (en) The reliability degree calculation method of network identity relationship
CN109151880A (en) Mobile application flow identification method based on multilayer classifier
CN105978717A (en) Network account recognition method and device
CN104767713A (en) Account binding method, server and account binding system
CN108270723A (en) A kind of acquisition methods in electric power networks Forecast attack path
CN103297267A (en) Method and system for network behavior risk assessment
CN107438083A (en) Detection method for phishing site and its detecting system under a kind of Android environment
CN104994105A (en) Android intelligent terminal security authentication method
CN110445750A (en) A kind of car networking protocol traffic recognition methods and device
CN103391274A (en) Integrated network safety managing method and device
CN109858250A (en) A kind of Android Malicious Code Detection model method based on cascade classifier
CN106209845A (en) A kind of malicious HTTP based on Bayesian Learning Theory request decision method
CN109446791A (en) New equipment recognition methods, device, server and computer readable storage medium
CN115270996A (en) DGA domain name detection method, detection device and computer storage medium
ES2388928T3 (en) Procedure and equipment for controlling access to multicast IP streams

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20161207

WD01 Invention patent application deemed withdrawn after publication