CN110798488A - Web application attack detection method - Google Patents
Web application attack detection method Download PDFInfo
- Publication number
- CN110798488A CN110798488A CN202010002469.4A CN202010002469A CN110798488A CN 110798488 A CN110798488 A CN 110798488A CN 202010002469 A CN202010002469 A CN 202010002469A CN 110798488 A CN110798488 A CN 110798488A
- Authority
- CN
- China
- Prior art keywords
- access
- attack
- web application
- access request
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Physics & Mathematics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computer Hardware Design (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Molecular Biology (AREA)
- Biophysics (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Biomedical Technology (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a Web application attack detection method. The method comprises the following steps: monitoring an access request from a Web application; extracting the access characteristics of the access request; judging whether the access characteristics of the access request accord with an attack access rule or not to obtain a judgment result; and determining whether the access request from the Web application is attack access or not according to the judgment result. By the technical scheme of the invention, whether the access request from the Web application is attack access or not can be accurately determined, so that the attack access of an illegal user can be accurately identified, and the data loss of the accessed device or the influence on the safety by the malicious attack access can be avoided.
Description
Technical Field
The invention relates to the technical field of Internet, in particular to a Web application attack detection method.
Background
At present, with the development of internet technology, more and more users access a server or other terminals in the internet through Web application, however, normal access has no problem, and is beneficial to promoting information transfer of both sides; however, sometimes, an illegal user attacks and accesses a server or other terminals in the internet through a Web application, so that the accessed server or other terminals lose data and are maliciously attacked to affect security and other problems.
Disclosure of Invention
The embodiment of the invention provides a Web application attack detection method. The technical scheme is as follows:
the embodiment of the invention provides a Web application attack detection method, which comprises the following steps:
monitoring an access request from a Web application;
extracting the access characteristics of the access request;
judging whether the access characteristics of the access request accord with an attack access rule or not to obtain a judgment result;
and determining whether the access request from the Web application is attack access or not according to the judgment result.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining a terminal identifier of the access terminal;
judging whether the access characteristics of the access request accord with attack access rules or not to obtain a judgment result, wherein the judgment result comprises the following steps:
acquiring a pre-stored attack terminal identification list;
matching the terminal identification of the access terminal with the attack terminal identification list in sequence;
and judging whether the terminal identification of the access terminal is matched with any attack terminal identification in the attack terminal identification list or not, and obtaining a judgment result.
In one embodiment, the determining whether the access request from the Web application is an attack access according to the determination result includes:
when the judgment result is that the terminal identification is matched with any attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is attack access;
and when the judgment result shows that the terminal identification is not matched with each attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is not attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining an access time interval of the access terminal according to the access request and a historical access request from the access terminal;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
and judging whether the access time interval accords with a preset attack access time interval or not to obtain a judgment result.
In one embodiment, the determining whether the access request from the Web application is an attack access according to the determination result includes:
when the judgment result shows that the access time interval accords with the preset attack access time interval, determining that the access request from the Web application is attack access;
and when the judgment result shows that the access time interval does not accord with the preset attack access time interval, determining that the access request from the Web application does not belong to attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining access time corresponding to the access request;
determining an access frequency corresponding to the access terminal according to the access time corresponding to the access request and a historical access request from the access terminal;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access frequency corresponding to the access terminal meets a preset attack access frequency or not, and obtaining a judgment result;
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the access frequency corresponding to the access terminal accords with a preset attack access frequency, determining that the access request from the Web application is attack access;
and when the access frequency corresponding to the access terminal does not accord with the preset attack access frequency, determining that the access request from the Web application does not belong to attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
extracting access data in the access request;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access data comprises attack access data or not, and obtaining the judgment result, wherein the attack access data comprises at least one of the following items: presetting sensitive words, attack pictures, attack audio and attack video;
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the judgment result is that the access data comprises attack access data, determining that the access request from the Web application is attack access;
and when the judgment result is that the access data does not include attack access data, determining that the access request from the Web application is not attack access.
In one embodiment, when it is determined that the access request from the Web application is an attack access, the method further includes:
generating a detection picture corresponding to the access request;
inputting the detection picture into a convolutional neural network to obtain a current attack detection result of the detection picture;
determining the current attack detection result of the detection picture as the attack detection result corresponding to the access request;
acquiring a standard detection result of the detection picture;
determining a difference between the attack detection result of the corresponding access request and the standard detection result;
and adjusting parameters in each layer of network in the convolutional neural network by a random gradient descent method based on the difference value.
In one embodiment, the method further comprises:
processing Web files and constructing a file set;
combining the file set, and obtaining a plurality of mutually independent views by utilizing the characteristics of professional knowledge and the characteristics of texts;
training by utilizing the multiple mutually independent views to obtain two classifiers;
integrating the two classifiers according to a preset method to obtain a Web attack detection model;
and after the access request from the Web application is determined to be attack access, determining the confidence degree that the access request belongs to the attack access by using the Web attack detection model again.
The technical scheme provided by the embodiment of the invention can have the following beneficial effects:
after monitoring the access request from the Web application, the access characteristics of the access request can be extracted, whether the access characteristics of the access request accord with the attack access rules or not is further judged, a judgment result is obtained, and then whether the access request from the Web application is attack access or not can be accurately determined according to the judgment result, so that the attack access of an illegal user is accurately identified, and the data loss of the accessed device or the influence on the safety by the malicious attack access is avoided.
In one embodiment of the present invention,
determining whether the access request from the Web application is attack access according to the judgment result, wherein the determining comprises the following steps:
extracting access data in the access request;
automatically matching the access data with data extracted from a first preset Web application determined as attack access, and correcting by using data extracted from a second preset Web application determined as no attack to determine whether an access request of the Web application is attack access, wherein the specific steps comprise:
step A1: matching the extracted access data with the data extracted from the first preset Web application by using a formula (1) to obtain a risk coefficient D of the Web application;
wherein D represents a risk coefficient of the Web application,
representing the ith access data extracted in the access request,
the j data extracted from the first preset Web application are represented, m represents the total number of the access data extracted from the access request, and n represents the total number of the data extracted from the first preset Web application;
step A2: correcting and integrating the risk coefficient D obtained by the formula (1) by using the formula (2) and the data in the second preset Web application to finally obtain an access comprehensive value S of the Web application;
wherein the content of the first and second substances,the t-th data extracted from the second preset Web application are represented, and z represents the total number of the data extracted from the second preset Web application;
step A3: optimizing the access comprehensive value S obtained in the formula (2) by using the formula (3) to obtain a final judgment value W
Wherein the content of the first and second substances,
representing a preset access comprehensive value, and calculating by using a formula (4);
when W is larger than or equal to 1, the access request from the Web application is shown as attack access, and an early warning signal is sent out;
when W <1, the access request from the Web application is not attack access, and subsequent normal operation is continued.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
Fig. 1 is a flowchart illustrating a Web application attack detection method according to an example embodiment.
FIG. 2 is a flow diagram illustrating another method of Web application attack detection in accordance with an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.
In order to solve the above technical problem, an embodiment of the present invention provides a method for detecting a Web application attack, where the method may be used in a Web application attack detection program, system or device, and an execution subject corresponding to the method may be a terminal or a server, as shown in fig. 1, and the method includes steps S101 to S104:
in step S101, an access request from the Web application is monitored;
in step S102, extracting an access characteristic of the access request;
in step S103, determining whether the access characteristic of the access request meets an attack access rule, to obtain a determination result;
in step S104, it is determined whether the access request from the Web application is an attack access according to the determination result.
After monitoring the access request from the Web application, the access characteristics of the access request can be extracted, whether the access characteristics of the access request accord with the attack access rules or not is further judged, a judgment result is obtained, and then whether the access request from the Web application is attack access or not can be accurately determined according to the judgment result, so that the attack access of an illegal user is accurately identified, and the data loss of the accessed device or the influence on the safety by the malicious attack access is avoided.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining a terminal identifier of the access terminal; the terminal identification can be the unique identification of the terminal such as mobile phone number, serial number and the like.
Judging whether the access characteristics of the access request accord with attack access rules or not to obtain a judgment result, wherein the judgment result comprises the following steps:
acquiring a pre-stored attack terminal identification list;
matching the terminal identification of the access terminal with the attack terminal identification list in sequence;
and judging whether the terminal identification of the access terminal is matched with any attack terminal identification in the attack terminal identification list or not, and obtaining a judgment result. The attack access rule comprises that the terminal identification of the access terminal is matched with any attack terminal identification in the attack terminal identification list.
After determining the terminal identifier of the access terminal sending the access request, the terminal identifier of the access terminal may be sequentially matched with the attack terminal identifier list to determine whether the terminal identifier of the access terminal is matched with any one of the attack terminal identifiers in the attack terminal identifier list, and obtain an accurate determination result, and then determine whether the access request sent by the access terminal is attack access or not based on the determination result.
In one embodiment, the determining whether the access request from the Web application is an attack access according to the determination result includes:
when the judgment result is that the terminal identification is matched with any attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is attack access;
and when the judgment result shows that the terminal identification is not matched with each attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is not attack access.
And when the judgment result is that the terminal identification is matched with any one of the attack terminal identifications in the pre-stored attack terminal identification list, the access terminal sending the access request is an attack terminal and is already classified into an attack blacklist, so that the access request from the Web application can be determined as attack access. And when the judgment result shows that the terminal identification is not matched with each attack terminal identification in the attack terminal identification list, the access terminal sending the access request is not the attack terminal, so that the access request from the Web application can be determined not to belong to attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining an access time interval of the access terminal according to the access request and a historical access request from the access terminal; the historical access requests may be all access requests over a period of time in the past.
The judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
and judging whether the access time interval accords with a preset attack access time interval or not to obtain a judgment result, wherein the attack access rule comprises the preset attack access time interval.
After the access terminal from which the access request comes is determined, the access time interval of the access terminal can be determined based on the access request and the historical access request, whether the access time interval meets the preset attack access time interval or not is further judged to obtain an accurate judgment result, and whether the access request initiated by the access terminal is attack access or not is determined according to the judgment result.
In one embodiment, the determining whether the access request from the Web application is an attack access according to the determination result includes:
when the judgment result shows that the access time interval accords with the preset attack access time interval, determining that the access request from the Web application is attack access;
and when the judgment result shows that the access time interval does not accord with the preset attack access time interval, determining that the access request from the Web application does not belong to attack access.
When the judgment result shows that the access time interval conforms to the preset attack access time interval, the access terminal is indicated that the previous access time interval is too short, so that the access request from the Web application can be accurately determined as the attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
determining an access terminal from which the access request comes;
determining access time corresponding to the access request;
determining an access frequency corresponding to the access terminal according to the access time corresponding to the access request and a historical access request from the access terminal;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access frequency corresponding to the access terminal meets a preset attack access frequency or not, and obtaining a judgment result; the attack access rule is a preset attack access frequency.
The determining whether the access request from the Web application is attack access according to the judgment result includes:
when the access frequency corresponding to the access terminal accords with a preset attack access frequency, determining that the access request from the Web application is attack access;
and when the access frequency corresponding to the access terminal does not accord with the preset attack access frequency, determining that the access request from the Web application does not belong to attack access.
After the access terminal from which the access request comes is determined, the access frequency of the access terminal can be determined based on the access request and the historical access request, whether the access frequency meets the preset attack access frequency or not is further judged, an accurate judgment result is further obtained, and whether the access request initiated by the access terminal is attack access or not is determined according to the judgment result. Specifically, if the access frequency corresponding to the access terminal meets a preset attack access frequency, it indicates that the access frequency of the access terminal is too high, higher than a normal access frequency, and too frequent, and thus, it may be determined that the access request from the Web application is an attack access; and when the access frequency corresponding to the access terminal does not accord with the preset attack access frequency, the access terminal is proved to have normal access frequency all the time, and the suspicion of attack access can be eliminated, so that the access request from the Web application can be determined not to belong to the attack access.
In one embodiment, the extracting the access characteristic of the access request includes:
extracting access data in the access request;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access data comprises attack access data or not, and obtaining the judgment result, wherein the attack access data comprises at least one of the following items: presetting sensitive words, attack pictures, attack audio and attack video; the attack access rule is that there is attack access data.
The determining whether the access request from the Web application is attack access according to the judgment result includes:
when the judgment result is that the access data comprises attack access data, determining that the access request from the Web application is attack access;
and when the judgment result is that the access data does not include attack access data, determining that the access request from the Web application is not attack access.
When the access data definitely comprises the attack access data, the access terminal is shown to carry out illegal access on the accessed terminal by using the attack access data, so that the access request from the Web application can be determined as attack access; and when the judgment result shows that the access data does not include the attack access data, the access terminal does not utilize the attack access data to illegally access the accessed terminal, so that the access request from the Web application is determined not to belong to the attack access.
As shown in fig. 2, in one embodiment, when it is determined that the access request from the Web application is an attack access, the method further includes:
in step S201, a detection picture corresponding to the access request is generated;
the generation process may be as follows:
and acquiring a log text of the access request from the network traffic log, generating a picture including a detection object in the log text of any access request for the log text of any access request, and taking the picture as a detection picture corresponding to any network request.
Wherein, the detection object is one or more of the following objects: the method comprises the following steps of page state request codes, uniform resource identifiers (URL or URI), parameters and a hypertext transfer protocol http request mode.
In step S202, inputting the detection picture into a convolutional neural network to obtain a current attack detection result of the detection picture; the current attack detection result may be an attack type, an attack level, and the like to which the detected picture belongs.
In step S203, determining the current attack detection result of the detected picture as the attack detection result corresponding to the access request;
in step S204, a standard detection result of the detected picture is obtained;
in step S205, determining a difference between the attack detection result of the corresponding access request and the standard detection result;
in step S206, based on the difference, parameters in each layer of the convolutional neural network are adjusted by a stochastic gradient descent method.
After a detection picture corresponding to the access request is generated, the detection picture can be input into the convolutional neural network to obtain a current attack detection result of the detection picture, the current attack detection result of the detection picture is compared with a standard detection result, and then parameters in each layer of network in the convolutional neural network are accurately adjusted according to a compared difference value, so that the current attack detection result of a subsequent detection picture is more accurate.
In one embodiment, the method further comprises:
processing Web files and constructing a file set;
combining the file set, and obtaining a plurality of mutually independent views by utilizing the characteristics of professional knowledge and the characteristics of texts;
constructing a view by using the characteristics of professional knowledge;
the method comprises the following steps that (1) feature space is { path length, path depth, parameter length, parameter number, maximum parameter name length, average parameter name length, maximum parameter value length, average parameter value length, proportion of letters in parameter values, proportion of numbers in parameters, proportion of special characters in parameter values, and number of attack keywords }, 12 features are counted in total, wherein the special characters comprise < "," @, "%" and the like, and the attack keywords comprise "and," "or," "select," "script," "eval," and the like, and can be obtained by inquiring an attack feature library, the URL is vectorized by using the feature space, S is converted into a view X1, and finally normalization processing needs to be carried out on X1;
building views with textual features
Firstly, utilizing N-gram to perform word segmentation on URL corresponding to access request, wherein the feature space of the URL is the combination of all characters, and if there are c different characters in S, the dimension d of URL vector is equal toAnd N is the value of N in the N-gram, then TF-IDF is used for calculating the characteristic value of the URL, and the view X2 is finally obtained through the N-gram word segmentation and TF-IDF calculation.
Training by utilizing the multiple mutually independent views to obtain two classifiers;
integrating the two classifiers according to a preset method to obtain a Web attack detection model;
and after the access request from the Web application is determined to be attack access, determining the confidence degree that the access request belongs to the attack access by using the Web attack detection model again.
By the technical scheme of the embodiment, after the access request from the Web application is determined to be attack access, the confidence coefficient that the access request belongs to the attack access can be accurately determined by using the Web attack detection model again, so that misjudgment of the attack access is avoided, and the judgment accuracy of the attack access is improved. Specifically, if the confidence level is found to be low through detection of the Web attack detection model, it indicates that a misjudgment exists before, that is, the monitored access request from the Web application does not belong to attack access.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
In one embodiment, determining whether the access request from the Web application is an attack access according to the determination result includes:
extracting access data in the access request; the access data is specific data carried in the access request, and the access data may be one or several pieces.
Automatically matching the access data with data extracted from a first preset Web application determined as attack access and correcting by using data extracted from a second preset Web application determined as attack-free to determine whether an access request of the Web application is attack access,
the first preset Web application is an application which is determined in advance and frequently or once sends attack access; the second predetermined Web application is a predetermined application that has not sent attack access.
And the data extracted from the first preset Web application is mass data which is stored in advance and carried in the access request from the first preset Web application.
And the data extracted from the second preset Web application is mass data which is stored in advance and carried in the access request from the second preset Web application.
The method comprises the following specific steps:
step A1: matching the extracted access data with the data extracted from the first preset Web application by using a formula (1) to obtain a risk coefficient D of the Web application;
wherein D represents a risk coefficient of the Web application,representing the ith access data extracted in the access request,the j data extracted from the first preset Web application are represented, m represents the total number of the access data extracted from the access request, and n represents the total number of the data extracted from the first preset Web application;
step A2: correcting and integrating the risk coefficient D obtained by the formula (1) by using the formula (2) and the data in the second preset Web application to finally obtain an access comprehensive value S of the Web application;
wherein the content of the first and second substances,
the t-th data extracted from the second preset Web application are represented, and z represents the total number of the data extracted from the second preset Web application;
step A3: optimizing the access comprehensive value S obtained in the formula (2) by using the formula (3) to obtain a final judgment value W
Wherein the content of the first and second substances,
representing a preset access comprehensive value, and calculating by using a formula (4);
when W is larger than or equal to 1, the access request from the Web application is shown as attack access, and an early warning signal is sent out;
when W <1, it indicates that the access request from the Web application is not an attack access, and continues to perform subsequent normal operations (e.g., allowing a response according to the access request).
The beneficial effects of the above technical scheme are: by matching with the data extracted from the Web application determined as attack access, the risk coefficient generated can accurately represent the risk in the access request from the Web application, the data in the Web application determined as no attack is used for correction and integration, the access request from the Web application is determined by analyzing the integration of the security and the risk of the data, and the authenticity and the reliability of the generated access comprehensive value are ensured, so that whether the access request is attack access or not is conveniently and accurately determined, and the access comprehensive value is optimized, and the practicability and the simplicity of the scheme are improved.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the invention is limited only by the appended claims.
Claims (9)
1. A Web application attack detection method is characterized by comprising the following steps:
monitoring an access request from a Web application;
extracting the access characteristics of the access request;
judging whether the access characteristics of the access request accord with an attack access rule or not to obtain a judgment result;
determining whether the access request from the Web application is attack access or not according to the judgment result;
the method further comprises the following steps:
processing Web files and constructing a file set;
combining the file set, and obtaining a plurality of mutually independent views by utilizing the characteristics of professional knowledge and the characteristics of texts;
training by utilizing the multiple mutually independent views to obtain two classifiers;
integrating the two classifiers according to a preset method to obtain a Web attack detection model;
and after the access request from the Web application is determined to be attack access, determining the confidence degree that the access request belongs to the attack access by using the Web attack detection model again.
2. The method of claim 1, wherein the extracting the access characteristic of the access request comprises:
determining an access terminal from which the access request comes;
determining a terminal identifier of the access terminal;
judging whether the access characteristics of the access request accord with attack access rules or not to obtain a judgment result, wherein the judgment result comprises the following steps:
acquiring a pre-stored attack terminal identification list;
matching the terminal identification of the access terminal with the attack terminal identification list in sequence;
and judging whether the terminal identification of the access terminal is matched with any attack terminal identification in the attack terminal identification list or not, and obtaining a judgment result.
3. The method of claim 2,
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the judgment result is that the terminal identification is matched with any attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is attack access;
and when the judgment result shows that the terminal identification is not matched with each attack terminal identification in the attack terminal identification list, determining that the access request from the Web application is not attack access.
4. The method of claim 1, wherein the extracting the access characteristic of the access request comprises:
determining an access terminal from which the access request comes;
determining an access time interval of the access terminal according to the access request and a historical access request from the access terminal;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
and judging whether the access time interval accords with a preset attack access time interval or not to obtain a judgment result.
5. The method of claim 4,
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the judgment result shows that the access time interval accords with the preset attack access time interval, determining that the access request from the Web application is attack access;
and when the judgment result shows that the access time interval does not accord with the preset attack access time interval, determining that the access request from the Web application does not belong to attack access.
6. The method of claim 1, wherein the extracting the access characteristic of the access request comprises:
determining an access terminal from which the access request comes;
determining access time corresponding to the access request;
determining an access frequency corresponding to the access terminal according to the access time corresponding to the access request and a historical access request from the access terminal;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access frequency corresponding to the access terminal meets a preset attack access frequency or not, and obtaining a judgment result;
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the access frequency corresponding to the access terminal accords with a preset attack access frequency, determining that the access request from the Web application is attack access;
and when the access frequency corresponding to the access terminal does not accord with the preset attack access frequency, determining that the access request from the Web application does not belong to attack access.
7. The method of claim 1, wherein the extracting the access characteristic of the access request comprises:
extracting access data in the access request;
the judging whether the access characteristics of the access request meet the attack access rules or not to obtain a judgment result includes:
judging whether the access data comprises attack access data or not, and obtaining the judgment result, wherein the attack access data comprises at least one of the following items: presetting sensitive words, attack pictures, attack audio and attack video;
the determining whether the access request from the Web application is attack access according to the judgment result includes:
when the judgment result is that the access data comprises attack access data, determining that the access request from the Web application is attack access;
and when the judgment result is that the access data does not include attack access data, determining that the access request from the Web application is not attack access.
8. The method of claim 1, wherein upon determining that the access request from the Web application is an attack access, the method further comprises:
generating a detection picture corresponding to the access request;
inputting the detection picture into a convolutional neural network to obtain a current attack detection result of the detection picture;
determining the current attack detection result of the detection picture as the attack detection result corresponding to the access request;
acquiring a standard detection result of the detection picture;
determining a difference between the attack detection result of the corresponding access request and the standard detection result;
and adjusting parameters in each layer of network in the convolutional neural network by a random gradient descent method based on the difference value.
9. The method of claim 1,
determining whether the access request from the Web application is attack access according to the judgment result, wherein the determining comprises the following steps:
extracting access data in the access request;
automatically matching the access data with data extracted from a first preset Web application determined as attack access, and correcting by using data extracted from a second preset Web application determined as no attack to determine whether an access request of the Web application is attack access, wherein the specific steps comprise:
step A1: matching the extracted access data with the data extracted from the first preset Web application by using a formula (1) to obtain a risk coefficient D of the Web application;
wherein D represents a risk coefficient of the Web application,
representing the ith access data extracted in the access request,
the j data extracted from the first preset Web application are represented, m represents the total number of the access data extracted from the access request, and n represents the total number of the data extracted from the first preset Web application;
step A2: correcting and integrating the risk coefficient D obtained by the formula (1) by using the formula (2) and the data in the second preset Web application to finally obtain an access comprehensive value S of the Web application;
wherein the content of the first and second substances,
representing the t-th data extracted from the second preset Web application, and z representing the second preset Web applicationThe total number of extracted data;
step A3: optimizing the access comprehensive value S obtained in the formula (2) by using the formula (3) to obtain a final judgment value W
Wherein the content of the first and second substances,
representing a preset access comprehensive value, and calculating by using a formula (4);
when W is larger than or equal to 1, the access request from the Web application is shown as attack access, and an early warning signal is sent out;
when W <1, the access request from the Web application is not attack access, and subsequent normal operation is continued.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010002469.4A CN110798488B (en) | 2020-01-03 | 2020-01-03 | Web application attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010002469.4A CN110798488B (en) | 2020-01-03 | 2020-01-03 | Web application attack detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110798488A true CN110798488A (en) | 2020-02-14 |
| CN110798488B CN110798488B (en) | 2020-04-14 |
Family
ID=69448688
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010002469.4A Active CN110798488B (en) | 2020-01-03 | 2020-01-03 | Web application attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110798488B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111510449A (en) * | 2020-04-10 | 2020-08-07 | 吴萌萌 | Attack behavior mining method based on image big data and big data platform server |
| CN111639497A (en) * | 2020-05-27 | 2020-09-08 | 北京东方通科技股份有限公司 | Abnormal behavior discovery method based on big data machine learning |
| CN111800409A (en) * | 2020-06-30 | 2020-10-20 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
| CN112801157A (en) * | 2021-01-20 | 2021-05-14 | 招商银行股份有限公司 | Scanning attack detection method and device and computer readable storage medium |
| WO2021168617A1 (en) * | 2020-02-24 | 2021-09-02 | 深圳市欢太科技有限公司 | Processing method and apparatus for service risk management, electronic device, and storage medium |
| CN114257415A (en) * | 2021-11-25 | 2022-03-29 | 中国建设银行股份有限公司 | Network attack defense method and device, computer equipment and storage medium |
| CN115085957A (en) * | 2021-03-12 | 2022-09-20 | 中国电信股份有限公司 | Malicious access data determination method, device, medium and electronic equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160021056A1 (en) * | 2014-07-18 | 2016-01-21 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
| US20170126724A1 (en) * | 2014-06-06 | 2017-05-04 | Nippon Telegraph And Telephone Corporation | Log analyzing device, attack detecting device, attack detection method, and program |
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN109831460A (en) * | 2019-03-27 | 2019-05-31 | 杭州师范大学 | A kind of Web attack detection method based on coorinated training |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
-
2020
- 2020-01-03 CN CN202010002469.4A patent/CN110798488B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170126724A1 (en) * | 2014-06-06 | 2017-05-04 | Nippon Telegraph And Telephone Corporation | Log analyzing device, attack detecting device, attack detection method, and program |
| US20160021056A1 (en) * | 2014-07-18 | 2016-01-21 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
| CN108156130A (en) * | 2017-03-27 | 2018-06-12 | 上海观安信息技术股份有限公司 | Network attack detecting method and device |
| CN109831460A (en) * | 2019-03-27 | 2019-05-31 | 杭州师范大学 | A kind of Web attack detection method based on coorinated training |
| CN109951500A (en) * | 2019-04-29 | 2019-06-28 | 宜人恒业科技发展(北京)有限公司 | Network attack detecting method and device |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021168617A1 (en) * | 2020-02-24 | 2021-09-02 | 深圳市欢太科技有限公司 | Processing method and apparatus for service risk management, electronic device, and storage medium |
| CN111510449A (en) * | 2020-04-10 | 2020-08-07 | 吴萌萌 | Attack behavior mining method based on image big data and big data platform server |
| CN111510449B (en) * | 2020-04-10 | 2020-12-29 | 山东慧创信息科技有限公司 | Attack behavior mining method based on image big data and big data platform server |
| CN111639497A (en) * | 2020-05-27 | 2020-09-08 | 北京东方通科技股份有限公司 | Abnormal behavior discovery method based on big data machine learning |
| CN111800409A (en) * | 2020-06-30 | 2020-10-20 | 杭州数梦工场科技有限公司 | Interface attack detection method and device |
| CN112801157A (en) * | 2021-01-20 | 2021-05-14 | 招商银行股份有限公司 | Scanning attack detection method and device and computer readable storage medium |
| CN115085957A (en) * | 2021-03-12 | 2022-09-20 | 中国电信股份有限公司 | Malicious access data determination method, device, medium and electronic equipment |
| CN114257415A (en) * | 2021-11-25 | 2022-03-29 | 中国建设银行股份有限公司 | Network attack defense method and device, computer equipment and storage medium |
| CN114257415B (en) * | 2021-11-25 | 2024-04-30 | 中国建设银行股份有限公司 | Network attack defending method, device, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110798488B (en) | 2020-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110798488B (en) | Web application attack detection method | |
| CN112417439B (en) | Account detection method, device, server and storage medium | |
| CN108718298B (en) | Malicious external connection flow detection method and device | |
| CN110830445B (en) | Method and device for identifying abnormal access object | |
| CN111641658A (en) | Request intercepting method, device, equipment and readable storage medium | |
| CN104980402B (en) | Method and device for identifying malicious operation | |
| CN108023868B (en) | Malicious resource address detection method and device | |
| CN109547426B (en) | Service response method and server | |
| CN107426136B (en) | Network attack identification method and device | |
| CN115580494B (en) | Method, device and equipment for detecting weak password | |
| CN108234454B (en) | Identity authentication method, server and client device | |
| CN111611519B (en) | Method and device for detecting personal abnormal behaviors | |
| CN112751804B (en) | Method, device and equipment for identifying counterfeit domain name | |
| CN113364784B (en) | Detection parameter generation method and device, electronic equipment and storage medium | |
| CN110162973B (en) | Webshell file detection method and device | |
| CN106790025B (en) | Method and device for detecting link maliciousness | |
| CN113196265A (en) | Security detection assay | |
| CN117527369A (en) | Hash function-based android malicious attack monitoring method and system | |
| CN112613893A (en) | Method, system, equipment and medium for identifying malicious user registration | |
| CN110851828A (en) | Malicious URL monitoring method and device based on multi-dimensional features and electronic equipment | |
| CN108650274B (en) | Network intrusion detection method and system | |
| CN107995167B (en) | Equipment identification method and server | |
| CN115455386A (en) | Operation behavior identification method and device | |
| CN112765502B (en) | Malicious access detection method, device, electronic equipment and storage medium | |
| CN108683670B (en) | Malicious traffic identification method and system based on website application system access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Li Lei Inventor after: Yang Xinming Inventor after: Zhang Chunlin Inventor after: Li Lijun Inventor after: Li Chunqing Inventor before: Li Lei Inventor before: Yang Xinming Inventor before: Zhang Chunlin Inventor before: Li Lijun Inventor before: Li Qingchun |