CN106209845A - A kind of malicious HTTP based on Bayesian Learning Theory request decision method - Google Patents
A kind of malicious HTTP based on Bayesian Learning Theory request decision method Download PDFInfo
- Publication number
- CN106209845A CN106209845A CN201610546795.5A CN201610546795A CN106209845A CN 106209845 A CN106209845 A CN 106209845A CN 201610546795 A CN201610546795 A CN 201610546795A CN 106209845 A CN106209845 A CN 106209845A
- Authority
- CN
- China
- Prior art keywords
- http request
- sample
- request
- value
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The invention discloses a kind of malicious HTTP based on Bayesian Learning Theory request decision method, it is as follows that the method comprising the steps of: collects normal HTTP request and the malicious HTTP request setting quantity;The normal HTTP request collected and malicious HTTP request are respectively processed acquisition sample set, sample in sample set includes sample class and sample characteristics space: inputted as training set by sample set, Bayes's classification learning algorithm, study is utilized to obtain a quadratic classifier;To HTTP request to be determined, extract and judge feature, it is thus achieved that judge feature space, utilize in quadratic classifier and be predicted, judgement is the HTTP request of malice or normal HTTP request, and is that HTTP request to be determined adds label with result of determination, is derived from result of determination.The method can interpolate that the request of malice when the HTTP request that subscriber terminal side is initiated or normal request.
Description
Technical field
The invention belongs to technical field of network security, being specifically related to a kind of malicious HTTP based on Bayesian Learning Theory please
Seek decision method.
Background technology
Due to standard and the suitability of http protocol, in addition to common web site class service, the most emerging is various
Mobile applications APP also begins to use http protocol to carry out data communication.A lot of application is had all to pass through the most resident backstage
Mode, from trend service end send HTTP request message transmission data.If malicious application, these HTTP request can relate to
To stealing privacy of user, the malicious act such as corpse wooden horse message propagation.
HTTP request is to survey, from user's direction finding service end, the message initiated, and generally uses HTTP GET mode or HTTP
POST mode.For HTTP GET method, request message is as follows:
“/domain-name/demo_form.jsp?Name1=value1&name2=value2 "
For POST method, request message is as follows:
" POST/test/demo_form.jsp HTTP/1.1, Host:w3schools.com
Name1=value1&name2=value2 ".
From learning above, no matter it is HTTP GET request, or HTTP POST request, request all contain similar
" name=value " field, these fields are the fields that application program oneself adds, and application program is exactly based on these fields
Transmit the content of user side.This field is to judge the key point whether HTTP request is malicious act.
How to go to judge normal still malice when the HTTP request that user side sends, be a skill needing to solve
An art difficult problem, whether the present invention proposes a kind of method based on bayesian theory, it is possible to be that malicious act is carried out to HTTP request
Automatic Prediction and judgement.The method is based primarily upon Bayesian learning category theory, and this theory is applied to spam mistake
The application such as filter.Bayes principle is a kind of ultimate principle of Probability, and full probability theory theoretical according to conditional probability, uses priori
Probability judges posterior probability.
Summary of the invention
In view of this, the invention provides a kind of malicious HTTP based on Bayesian Learning Theory request decision method, energy
Enough requests judging malice when the HTTP request that subscriber terminal side is initiated or normal request.
In order to achieve the above object, the technical scheme is that a kind of malicious HTTP based on Bayesian Learning Theory
Request decision method, it is as follows that the method comprising the steps of:
S1, the normal HTTP request collecting setting quantity and malicious HTTP request.
S2, the normal HTTP request collected and malicious HTTP request are carried out the process of following S2.1~S2.4 respectively, with
This obtains sample set, particularly as follows:
S2.1, the HTTP request collected is carried out manual tag classification, if normal HTTP request, then stamp mark
Sign 0, if the HTTP request of malice, the most tagged 1.
S2.2, to all HTTP request collected, extract " value " word in " name=value " therein field
Identifier value information, " value " character occurred in all HTTP request in sample set is as feature space.
S2.3, using each HTTP request as a sample, form sample set, sample includes that sample class and sample are special
Levy space:
The classification of sample is the label that in S2.1, handmarking is good, is 0 or 1.
Sample characteristics space is the feature space in S2.2, and by sample characteristics space to should sample occur
The field mark of all " value " character values is 1, is otherwise designated as 0.
S3, being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study obtains
One quadratic classifier.
S4, to HTTP request to be determined, extract and judge feature, it is determined that characteristic extraction procedure is as follows: set up with in S2.2
The consistent judgement feature space of feature space, the equal initial markers of the most all fields is 0, then by HTTP request to be determined
Middle all " value " character value corresponding field occurred are updated to 1, and it is constant that other remain 0.
S5, the HTTP request to be determined in S4 is put in the quadratic classifier in S3 it is predicted, it is determined that be malice
HTTP request or normal HTTP request, and be that HTTP request to be determined adds label with result of determination, be derived from
Result of determination.
Further, in S5, it is thus achieved that after result of determination, result of determination will with the addition of the HTTP to be determined of label
Request, joins in training set as new sample, repeats step S2 and S3, updates quadratic classifier, until grader is stable.
Beneficial effect:
The method is based on Bayesian learning category theory, according to " name=value " field in known classification HTTP request
Whether the probability learning occurred is malicious HTTP request, then extracts " name=value " field in unfiled HTTP request
Information, judges the request the most maliciously of this HTTP request, and the method can quickly and accurately judge whether HTTP request dislikes
Meaning.
Detailed description of the invention
Name embodiment, describe the present invention.
Whether the present invention proposes a kind of method based on bayesian theory, it is possible to be that malicious act is carried out to HTTP request
Automatic Prediction and judgement.The method is based primarily upon Bayesian learning category theory, and this theory is applied to spam mistake
The application such as filter.Bayes principle is a kind of ultimate principle of Probability, and full probability theory theoretical according to conditional probability, uses priori
Probability judges posterior probability.Whether the probability learning occurred according to " name=value " field in known classification HTTP request
It is malicious HTTP request, then extracts " name=value " field information in unfiled HTTP request, judge that this HTTP please
The request of the no malice of Seeking Truth.It is as follows that the method comprising the steps of:
First a number of normal HTTP request and malicious HTTP request are collected;
S2. the HTTP request collected labelled and extracts feature, inputting as training set;
Wherein, S2 also comprises the steps:
First S2.1 carries out manual tag classification to the HTTP request collected, if normal HTTP request, then beats
Upper label 0, if the HTTP request of malice, the most tagged 1;
S2.2, to all HTTP request collected, extracts " value " character in " name=value " therein field
Value information, using " value " character of being occurred as feature space;
S2.3 is using each HTTP request as a sample, and the classification of sample is the mark that in S2.1, handmarking is good
Sign, be 0 or 1;The feature space of sample is the feature space in S2.2: if certain " value " character value in this sample
Occurred, be then 1 by this feature field mark, be otherwise designated as 0;
The HTTP request sample that each is collected by S2.4 inputs as training set;
S3. being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study is to one
Individual quadratic classifier;
S4. the HTTP request judged needs, first extracts and calculates feature, prepares to start in advance as a sample
Survey.Feature calculation process is as follows: using the feature space in S2.2 as feature space, is all labeled as 0, extracts this HTTP request
" value " character value in middle all " name=value " occurred, by these " value " character value characteristics of correspondence more
Being newly 1, it is constant that other remain 0;
S5. the sample to be predicted in S4 is put into S3 learning to quadratic classifier in be predicted, it is determined whether be
The HTTP request of malice or normal HTTP request;
S6. the sample will predicted in S5, selective manually judge confirm after, join training as new sample
Concentrating, repeat step S2, the content of S3, strengthening grader study, until grader is stable.
To sum up, these are only presently preferred embodiments of the present invention, be not intended to limit protection scope of the present invention.All
Within the spirit and principles in the present invention, any modification, equivalent substitution and improvement etc. made, should be included in the protection of the present invention
Within the scope of.
Claims (2)
1. malicious HTTP based on a Bayesian Learning Theory request decision method, it is characterised in that the method comprising the steps of
As follows:
S1, the normal HTTP request collecting setting quantity and malicious HTTP request;
S2, the normal HTTP request collected and malicious HTTP request are carried out the process of following S2.1~S2.4 respectively, obtain with this
Obtain sample set, particularly as follows:
S2.1, the HTTP request collected is carried out manual tag classification, if normal HTTP request, the most tagged 0,
If the HTTP request of malice, the most tagged 1;
S2.2, to all HTTP request collected, extract " value " character value in " name=value " therein field
Information, " value " character occurred in all HTTP request in sample set is as feature space;
S2.3, using each HTTP request as a sample, form sample set, sample includes that sample class and sample characteristics are empty
Between:
The classification of sample is the label that in S2.1, handmarking is good, is 0 or 1;
Sample characteristics space is the feature space in S2.2, and by all to should sample occur in sample characteristics space
The field mark of " value " character value is 1, is otherwise designated as 0;
S3, being inputted as training set by the sample set in step S2, utilize Bayes's classification learning algorithm, study obtains one
Quadratic classifier;
S4, to HTTP request to be determined, extract and judge feature, it is determined that characteristic extraction procedure is as follows: set up and the spy in S2.2
Levying the judgement feature space that space is consistent, the equal initial markers of the most all fields is 0, then will go out in HTTP request to be determined
All " value " the character value corresponding field now crossed are updated to 1, and it is constant that other remain 0;
S5, the HTTP request to be determined in S4 is put in the quadratic classifier in S3 it is predicted, it is determined that be malice
HTTP request or normal HTTP request, and be that HTTP request to be determined adds label with result of determination, it is derived from sentencing
Determine result.
A kind of malicious HTTP based on Bayesian Learning Theory request decision method, its feature exists
In, in described S5, it is thus achieved that after result of determination, result of determination will with the addition of the HTTP request to be determined of label, as
New sample joins in training set, repeats step S2 and S3, updates quadratic classifier, until grader is stable.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610546795.5A CN106209845A (en) | 2016-07-12 | 2016-07-12 | A kind of malicious HTTP based on Bayesian Learning Theory request decision method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610546795.5A CN106209845A (en) | 2016-07-12 | 2016-07-12 | A kind of malicious HTTP based on Bayesian Learning Theory request decision method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106209845A true CN106209845A (en) | 2016-12-07 |
Family
ID=57476516
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610546795.5A Pending CN106209845A (en) | 2016-07-12 | 2016-07-12 | A kind of malicious HTTP based on Bayesian Learning Theory request decision method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106209845A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616498A (en) * | 2018-02-24 | 2018-10-02 | 国家计算机网络与信息安全管理中心 | A kind of web access exceptions detection method and device |
CN110912888A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Malicious HTTP (hyper text transport protocol) traffic detection system and method based on deep learning |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
CN103401835A (en) * | 2013-07-01 | 2013-11-20 | 北京奇虎科技有限公司 | Method and device for presenting safety detection results of microblog page |
US20140310808A1 (en) * | 2009-03-13 | 2014-10-16 | Danfeng YAO | Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery |
CN104125209A (en) * | 2014-01-03 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Malicious website prompt method and router |
CN104519031A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for detecting malicious network behaviors |
CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
-
2016
- 2016-07-12 CN CN201610546795.5A patent/CN106209845A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140310808A1 (en) * | 2009-03-13 | 2014-10-16 | Danfeng YAO | Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery |
CN101702660A (en) * | 2009-11-12 | 2010-05-05 | 中国科学院计算技术研究所 | Abnormal domain name detection method and system |
CN103401835A (en) * | 2013-07-01 | 2013-11-20 | 北京奇虎科技有限公司 | Method and device for presenting safety detection results of microblog page |
CN104519031A (en) * | 2013-09-30 | 2015-04-15 | 西门子公司 | Method and device for detecting malicious network behaviors |
CN104125209A (en) * | 2014-01-03 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Malicious website prompt method and router |
CN105516196A (en) * | 2016-01-19 | 2016-04-20 | 国家计算机网络与信息安全管理中心江苏分中心 | HTTP message data-based parallelization network anomaly detection method and system |
Non-Patent Citations (1)
Title |
---|
何苗: ""基于机器学习的移动数据安全检测技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108616498A (en) * | 2018-02-24 | 2018-10-02 | 国家计算机网络与信息安全管理中心 | A kind of web access exceptions detection method and device |
CN110912888A (en) * | 2019-11-22 | 2020-03-24 | 上海交通大学 | Malicious HTTP (hyper text transport protocol) traffic detection system and method based on deep learning |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20170193386A1 (en) | Website address identification method and apparatus | |
CN109495467B (en) | Method and device for updating interception rule and computer readable storage medium | |
CN103516586B (en) | A kind of online user behavior analysis system of instantaneous communication system | |
CN106295349A (en) | Risk Identification Method, identification device and the anti-Ore-controlling Role that account is stolen | |
CN109213781B (en) | Wind control data query method and device | |
CN102368853B (en) | Communication event processing method and system thereof | |
CN105321108A (en) | System and method for creating a list of shared information on a peer-to-peer network | |
CN107889082A (en) | A kind of D2D method for discovering equipment using social networks between user | |
CN104954372A (en) | Method and system for performing evidence acquisition and verification on phishing website | |
CN110110509A (en) | Right management method and Related product | |
CN105376223B (en) | The reliability degree calculation method of network identity relationship | |
CN109151880A (en) | Mobile application flow identification method based on multilayer classifier | |
CN105978717A (en) | Network account recognition method and device | |
CN104767713A (en) | Account binding method, server and account binding system | |
CN108270723A (en) | A kind of acquisition methods in electric power networks Forecast attack path | |
CN103297267A (en) | Method and system for network behavior risk assessment | |
CN107438083A (en) | Detection method for phishing site and its detecting system under a kind of Android environment | |
CN104994105A (en) | Android intelligent terminal security authentication method | |
CN110445750A (en) | A kind of car networking protocol traffic recognition methods and device | |
CN103391274A (en) | Integrated network safety managing method and device | |
CN109858250A (en) | A kind of Android Malicious Code Detection model method based on cascade classifier | |
CN106209845A (en) | A kind of malicious HTTP based on Bayesian Learning Theory request decision method | |
CN109446791A (en) | New equipment recognition methods, device, server and computer readable storage medium | |
CN115270996A (en) | DGA domain name detection method, detection device and computer storage medium | |
ES2388928T3 (en) | Procedure and equipment for controlling access to multicast IP streams |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20161207 |
|
WD01 | Invention patent application deemed withdrawn after publication |