CN110808968B - Network attack detection method and device, electronic equipment and readable storage medium - Google Patents

Network attack detection method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN110808968B
CN110808968B CN201911021057.9A CN201911021057A CN110808968B CN 110808968 B CN110808968 B CN 110808968B CN 201911021057 A CN201911021057 A CN 201911021057A CN 110808968 B CN110808968 B CN 110808968B
Authority
CN
China
Prior art keywords
classification
training
classifier
sample
uniform resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911021057.9A
Other languages
Chinese (zh)
Other versions
CN110808968A (en
Inventor
袁家雯
李华东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Security Technologies Co Ltd
Original Assignee
New H3C Security Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by New H3C Security Technologies Co Ltd filed Critical New H3C Security Technologies Co Ltd
Priority to CN201911021057.9A priority Critical patent/CN110808968B/en
Publication of CN110808968A publication Critical patent/CN110808968A/en
Application granted granted Critical
Publication of CN110808968B publication Critical patent/CN110808968B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques

Abstract

When the network attack detection is performed, the feature information of the uniform resource locator of the page to be accessed in the received website access request is extracted and obtained, and the obtained feature information is imported into a classification model obtained through pre-training for classification detection. And determining whether the website access request is a network attack request or not according to the classification detection result. The classification model is a classification model which is obtained by training according to different training subsamples and is based on a support vector machine in advance, and meets preset conditions, and the number of samples in each group of training subsamples does not exceed a preset value. Therefore, the self-learning capability of the support vector machine is utilized to effectively improve the self-adaptability and the accuracy of the network attack detection on the basis of not increasing the hardware cost. And the training is carried out based on the sub-samples of which the number of the samples does not exceed the preset value, so that the model accuracy is guaranteed, the training efficiency is improved, and the training time is shortened.

Description

Network attack detection method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a network attack detection method, apparatus, electronic device, and readable storage medium.
Background
With the rapid development of the internet, the business based on the network is rapidly expanded, so that the life of people depends on WEB application, for example, the aspects of financial business extend out of an internet bank, the aspects of education and entertainment extend out of learning software, and the aspects of traffic travel extend out of an electronic bus two-dimensional code and the like. In this context, the development and application of WEB applications have also multiplied security risks, and various WEB attacks such as SQL (Structured Query Language) injection attack and XSS (Cross Site Scripting) attack appear in succession. At present, for the WEB network attacks, the attack defense method mainly performs attack detection in a regular matching manner or by adding a new device.
However, in the above conventional approach, for example, a method of modifying the front-end code and detecting by using regular matching is adopted, and the matching is performed depending on an established black list detection mechanism. Although most attacks can be detected, the rule base is difficult to maintain, false alarms are easily generated if the rules are written too broadly, and the attacks are easily bypassed by attackers if the rules are written too finely. And attack detection is carried out by adopting a mode of adding a new device, when different WEB attacks are aimed at, different devices are required to be deployed and different rules are required to be applied to detect the attacks, and aiming at newly appeared attack types, the attack types are difficult to identify and a defense system is required to be developed again.
Disclosure of Invention
The object of the present disclosure includes, for example, providing a cyber attack detection method, apparatus, electronic device and readable storage medium, which can improve the adaptivity and accuracy of cyber attack detection.
Embodiments of the present disclosure may be implemented as follows:
in a first aspect, an embodiment of the present disclosure provides a network attack detection method, which is applied to an attack detection server, and the method includes:
receiving a website access request, wherein the website access request carries a uniform resource locator of a page to be accessed;
extracting and obtaining the characteristic information of the uniform resource locator;
and importing the extracted characteristic information into a pre-established and trained classification model for classification detection, and determining whether the website access request is a network attack request according to a classification detection result, wherein the classification model is a classification model which is obtained by training according to different training subsamples based on a support vector machine in advance and meets a preset condition, each group of training subsamples respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request, and the number of samples in each group of training subsamples does not exceed a preset value.
In an alternative embodiment, the classification model is pre-established and trained by the following means:
acquiring a training sample and a test sample, wherein the training sample and the test sample respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request;
dividing the training samples into a plurality of groups of different training subsamples, wherein the number of samples in each group of training subsamples does not exceed a preset value;
constructing a support vector machine, and utilizing each group of training subsamples to respectively train the support vector machine to obtain a plurality of classifiers obtained by training;
and classifying and distinguishing the test sample by using each classifier respectively, and obtaining the classifier meeting preset conditions according to the accuracy of classification and distinguishing of each classifier to serve as the classification model.
In an optional embodiment, the step of labeling each sample in the test sample with a sample label, performing classification and discrimination on the test sample by using each classifier, and obtaining a classifier satisfying a preset condition according to an accuracy of the classification and discrimination of each classifier as the classification model includes:
For each classifier, classifying and distinguishing the test samples by using the classifier, comparing the classification and distinguishing result of each sample in the test samples with the sample label of each sample, and if the classification and distinguishing result of a sample is consistent with the sample label of the sample, determining that the classification and distinguishing result of the classifier on the sample is correct;
and taking the classifier with the classification discrimination accuracy higher than a preset threshold value as the classification model.
In an optional embodiment, the step of using a classifier with a classification discrimination accuracy higher than a preset threshold as the classification model includes:
detecting whether a classifier with classification judgment accuracy higher than a preset threshold exists in the plurality of classifiers;
if not, the classification judgment accuracy of each classifier is obtained again, and the process of obtaining the classification judgment accuracy of each classifier again comprises the following steps:
randomly dividing the training sample into a plurality of groups of different training subsamples again, and continuously training the obtained classifier by using each group of training subsamples obtained by the division again;
classifying and judging the test samples by using the classifiers which are continuously trained again, comparing the classification and judgment results of the samples in the test samples with the sample labels of the samples, and obtaining the classification and judgment accuracy of the trained classifiers according to the comparison results;
If the classifier with the classification discrimination accuracy higher than the preset threshold value does not exist, the process of re-obtaining the classification discrimination accuracy of each classifier is repeatedly executed until the classification discrimination accuracy of the trained classifier is higher than the preset threshold value, and the trained classifier with the classification discrimination accuracy higher than the preset threshold value is used as the classification model.
In an optional embodiment, when there are a plurality of classification models, the step of importing the extracted feature information into a pre-established and trained classification model for classification detection, and determining whether the website access request is a network attack request according to a classification detection result includes:
respectively importing the extracted feature information into each pre-established and trained classification model for classification detection to obtain a classification detection result output by each classification model;
and if the classification detection results output by the classification models are consistent, determining whether the website access request is a network attack request or not according to the classification detection results.
In an optional embodiment, the constructed support vector machine comprises an objective function for determining an optimal hyperplane of the support vector machine; and adding a constraint term containing displacement information into the objective function so as to reduce the displacement of the optimal hyperplane.
In an optional embodiment, the extracted feature information includes at least any two of a length of the uniform resource locator, an external link, a preset symbol, a preset character, a feature keyword, a capital letter character frequency, a numeric character frequency, and a space character frequency.
In a second aspect, an embodiment of the present disclosure provides a network attack detection apparatus, which is applied to an attack detection server, and the apparatus includes:
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a website access request which carries a uniform resource locator of a page to be accessed;
the extraction module is used for extracting and obtaining the characteristic information of the uniform resource locator;
and the classification detection module is used for importing the extracted characteristic information into a pre-established and trained classification model for classification detection, and determining whether the website access request is a network attack request according to a classification detection result, wherein the classification model is a classification model which is obtained by training according to different training subsamples based on a support vector machine in advance and meets a preset condition, each group of training subsamples respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request, and the number of samples in each group of training subsamples is not more than a preset value.
In a third aspect, an embodiment of the present disclosure provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the network attack detection method described in any one of the foregoing embodiments.
In a fourth aspect, the disclosed embodiments provide a readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the network attack detection method according to any one of the foregoing embodiments.
Beneficial effects of the embodiments of the present disclosure include, for example:
the network attack detection method, the network attack detection device, the electronic device and the readable storage medium provided by the embodiment of the disclosure obtain the classification model through establishing and training based on the support vector machine in advance, extract and obtain the characteristic information of the uniform resource locator of the page to be accessed in the received website access request when performing network attack detection, and import the obtained characteristic information into the classification model obtained through training for classification detection. And determining whether the website access request is a network attack request according to the classification detection result. The classification model is a classification model which is obtained by training according to different training subsamples and is based on a support vector machine in advance, and meets preset conditions, and the number of samples in each group of training subsamples does not exceed a preset value. Therefore, on the basis of not increasing hardware cost, the self-learning capacity of the support vector machine is utilized to effectively improve the adaptivity and accuracy of network attack detection, and training is performed based on the training subsamples of which the number of each group of samples does not exceed the preset value, so that the model accuracy is guaranteed, the model training efficiency is improved, and the model training time is shortened.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present disclosure and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings may be obtained from the drawings without inventive effort.
Fig. 1 is a schematic network architecture diagram of an application scenario of a network attack detection method provided in the embodiment of the present disclosure;
fig. 2 is a flowchart of a network attack detection method provided by the embodiment of the present disclosure;
FIG. 3 is a flowchart of a method for building and training a derived classification model according to an embodiment of the present disclosure;
FIG. 4 is a flowchart of a method for determining a classification model from a plurality of classifiers according to an embodiment of the disclosure;
FIG. 5 is a flowchart of sub-steps included in step S230 of FIG. 2;
fig. 6 is a block diagram of an electronic device provided in an embodiment of the present disclosure;
fig. 7 is a functional block diagram of a network attack detection apparatus according to an embodiment of the present disclosure.
Icon: 100-a server; 110-a processor; 120-a memory; 130-a communication unit; 140-network attack detection means; 141-a receiving module; 142-an extraction module; 143-a classification detection module; 200-client.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more clear, the technical solutions of the embodiments of the present disclosure will be described clearly and completely with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are some, but not all embodiments of the present disclosure. The components of the embodiments of the present disclosure, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present disclosure, presented in the figures, is not intended to limit the scope of the claimed disclosure, but is merely representative of selected embodiments of the disclosure. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. It should be noted that the features in the embodiments of the present disclosure may be combined with each other without conflict.
Fig. 1 illustrates a network architecture of an implementation environment for network attack detection provided by an embodiment of the present disclosure. The system of the network architecture may include a client 200 and a server 100, where the client 200 may be a WEB client and may include a WEB browser, and a user may perform information interaction with the server 100 through a link on a WEB browser page. The server 100 may be a WEB server, which is an attack detection server for detecting and defending against network attacks provided by the embodiments of the present disclosure. The WEB server can utilize a classification model obtained based on the training of a support vector machine to carry out network attack detection. Furthermore, those skilled in the art can understand that fig. 1 is only a schematic diagram, and does not specifically limit the network architecture of the network attack detection provided in the present embodiment.
It should be noted that the network attack detection method provided in the embodiment of the present disclosure may be applicable to detecting and defending SQL injection attack, XSS attack, and the like, and may also be applicable to other attacks defending virus, command injection, and other types.
Web applications typically utilize databases to store data information and are typically provided by database systems. SQL injection attacks are one of the common means by which hackers attack databases. SQL statements are created dynamically from data provided by the user and thus can interact directly with the database through the SQL statements. SQL injection attacks are a type of attack that injects SQL commands into the input, i.e., illegal data is injected into the input field, and once a malicious script executes, unauthorized access occurs, thereby threatening the data security on the server.
While XSS attacks refer to cross-site scripting attacks, attackers typically do so by using special symbols to transform data content into code content, or by using scripts that may include callable JavaScript interpreters. By hiding the malicious script behind a Uniform Resource Locator (URL) or in a WEB page. When the user browses the page, the malicious script embedded in the page is executed, so that the aim of maliciously attacking the user is fulfilled. In an XSS attack, an attacker can manipulate HTML (HyperText Markup Language) tables, cookies, URLs, and external files. By using the attack technology, an attacker can inject malicious codes into other browsers and execute malicious and illegal JavaScript codes, and once the malicious scripts are successfully executed in the browser of the victim user, the attacker can acquire some privacy information of the victim, such as the privacy information of cookies, session IDs, signal card numbers and the like.
The present disclosure relates to a support vector machine based on VC dimension (a way to measure the complexity of a function) theory and the principle of minimizing structural risk. The support vector machine can learn by using limited samples, so that a balance point of model complexity and learning capacity is found, and the support vector machine has good generalization capability. The support vector machine can map data which is difficult to realize classification in a low-dimensional space into a higher-dimensional feature space through a certain method by nonlinear mapping, and find a hyperplane which can maximize the interval edge between positive and negative examples in the data. By combining the scheme in the embodiment of the disclosure, the hyperplane which can distinguish normal network access and network attack access can be found. Therefore, the detection and judgment of the network attack can be well realized through the training of the support vector machine.
Referring to fig. 2, fig. 2 is a flowchart of a network attack detection method applied to the server 100 shown in fig. 1, and the steps of the network attack detection method will be described in detail below.
Step S210, receiving a website access request, wherein the website access request carries a uniform resource locator of a page to be accessed.
Step S220, extracting and obtaining the feature information of the uniform resource locator.
Step S230, the extracted feature information is imported into a pre-established and trained classification model for classification detection, and whether the website access request is a network attack request or not is determined according to a classification detection result, wherein the classification model is obtained by training based on a support vector machine in advance.
When a user accesses a webpage, the user inputs the uniform resource locator of the webpage to be accessed so as to obtain the resource which the user wants to obtain. When the uniform resource locator carries an SQL attack code or an XSS attack code, the website to be accessed is attacked, and further, the security of the data of the user in the website is threatened.
A main means for hackers to attack by using the URL is to add illegal fields in parameters of the URL, so that characteristic information in the URL can be obtained by analyzing the obtained uniform resource locator, and classification detection is performed on the basis of the extracted characteristic information by using an established and trained classification model so as to determine whether the obtained uniform resource locator contains the illegal fields. If the website access request contains the illegal field, the output result of the classification model judges that the type of the uniform resource locator is the corresponding illegal type, namely, the website access request is a network attack request. If the obtained uniform resource locator does not contain an illegal field, the output result of the classification model judges that the type of the uniform resource locator is a normal type, namely, the website access request is a normal website access request.
When the current request is determined to be a network attack request, the request can be intercepted, so that the influence caused by the attack is avoided. And if the current request is determined to be a normal network access request, allowing normal access to the page to be accessed.
In this embodiment, the uniform resource locators in the website access request are classified and detected based on the classification model established by the support vector machine, so that network attack detection is realized. The classification model is a classification model which is obtained by training in advance based on a support vector machine according to different training subsamples and meets preset conditions. Each group of training subsamples respectively comprises a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request, and sample data in each group of training subsamples does not exceed a preset value. Therefore, the self-learning capability and the generalization capability of the support vector machine are utilized on the basis of detecting the network attack without adding new equipment, so that the self-adaptability and the accuracy of the network attack detection can be effectively improved. And each group of training subsamples with small sample number are used for carrying out independent training, so that the classification model meeting the preset conditions obtained by training is selected, the accuracy of the obtained classification model is guaranteed, the training efficiency of the model is improved, and the training time of the model is shortened.
Referring to fig. 3, the classification model used in the above steps can be previously established and trained in the following manner.
Step S310, a training sample and a test sample are collected, wherein the training sample and the test sample respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request.
Step S320, dividing the training samples into a plurality of different sets of training subsamples, wherein the number of samples in each set of training subsamples does not exceed a preset value.
And step S330, constructing a support vector machine, and training the support vector machine by using each group of training subsamples to obtain a plurality of trained classifiers.
Step S340, classifying and distinguishing the test sample by using each classifier, and obtaining a classifier satisfying a preset condition according to an accuracy of classification and distinguishing of each classifier, as the classification model.
In this embodiment, the collector may be used to obtain the uniform resource locator normally accessed by the user, obtain the uniform resource locator of the SQL injection attack from the SQL rule base, and obtain the uniform resource locator of the XSS attack from the XSS rule base. A penetration test tool such as XSS attack uniform resource locator obtained by xsssed crawling can also be adopted, and the XSS attack uniform resource locator can also be obtained by searching from an open source code base such as GitHub. In addition, the uniform resource locator of SQL injection attack can also be obtained by using SQLmap script. And taking the data sets respectively containing the three types of uniform resource locators as a training sample and a testing sample.
Considering that if the data size of the training sample is too large, the training time of the classification model is too long, the convergence rate is slow, and the acquisition of the classification model is not facilitated. However, if the data size of the training samples is too small, the learning of the feature information of the samples may be insufficient, which may result in a problem that the classification accuracy of the obtained classification model is not high enough.
In order to solve the above problem, in the present embodiment, the acquired training samples are divided into a plurality of different sets of training subsamples, and it is noted that the number of samples in each set of training subsamples does not exceed a preset value during the division. Therefore, the divided training subsamples with small data volume are used for independently training the support vector machine to obtain the corresponding classifier, the convergence speed of the training is greatly accelerated, and the training efficiency of the classifier is improved. Moreover, a plurality of groups of different training subsamples are used for synchronous training to obtain the corresponding classifier, so that the problem that the overall training time length is increased is solved.
And detecting the classification accuracy of each classifier by using the original test sample in the obtained plurality of classifiers, thereby obtaining the classifier which meets the preset condition and is used as a classification model for network attack detection application finally. Therefore, the classifier with the classification accuracy meeting certain requirements can be obtained from the plurality of classifiers, and the problem that the classification detection accuracy of the classifier is not high enough due to the fact that only one classifier is obtained through unique training is avoided.
The classification model is mainly used for analyzing the uniform resource locator in the access request, for example, the uniform resource locator includes number processing, letter processing, character processing, text structure analysis and the like. The SQL injection attack and the XSS attack generally have significant features such as a keyword and a high number ratio, and therefore, in the model training process, significant feature information needs to be extracted as an information basis for model training.
In this embodiment, when the classifier is obtained based on the training of the support vector machine, the information of each sample in the training sample needs to be analyzed, that is, feature extraction is performed on the normal uniform resource locator, the uniform resource locator of the SQL injection attack, and the uniform resource locator of the XSS attack. And taking the extracted characteristic information as the input of the support vector machine, thereby training the support vector machine to obtain the classifier. The following examples show possible dataforms of a uniform resource locator for normal network access, a uniform resource locator for SQL injection attacks, and a uniform resource locator for XSS attacks:
normal uniform resource locator:
/auction/inclcdes/converter.inc.phpinclude_path=http://192.168.202.118:8080/tzhfyzkbomspvm
uniform resource locator for SQL injection attacks:
/wp-login.phpaction=lostpassword%25%27%29%20LIMIT%201%2C1%20UNTION#20ALL%20SELECT%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%2C%20NULL%23#
Uniform resource locator for XSS attacks:
Test.addEventListener(‘click’,function()){
Var node=window.eval(txt.value)
Window.alert(node)
},false
the obtained uniform resource locator is generally encoded, and therefore, the uniform resource locator needs to be preprocessed so as to decode different uniform resource locators into a uniform format. For example, the general URL information is a string of characters, and the content of the string of characters is greatly different according to the website design, so that the URL can be segmented. Since the URL characters can only be ASCII code, different applications perform different encapsulation and display processes on the data. The word segmentation process can be performed using a set rule, for example, a space, a "/", "%", "&" or the like.
The following schematically shows one possible form of uniform resource locator of the above-described SQL injection attack after the decoding process:
/wp-login.phpaction=lostpassword%’LIMIT1,1UNTION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
the SQL injection attack form mainly comprises the following steps: the attack detection is avoided by converting the case of partial characters in the uniform resource locator; or the proportion of space characters in the character string is changed through the empty characters to cause the attack of the empty characters; or the proportion of special characters in the character string is changed, such as closing the truncated characters, so as to cause attack; or changing the proportion of the digital characters in the character string, aiming at dynamic query deformation attack, and the like.
Therefore, when the characteristic information of the uniform resource locator is extracted, the corresponding characteristic information can be extracted according to the common modification forms of the information of SQL injection attack and XSS attack. For example, the extracted feature information may include at least any two of eight types of information items, such as length of uniform resource locator, external link, preset symbol, preset character, feature keyword, capital character frequency, numeric character frequency, and space character frequency. In practice, in order to obtain a better training effect, at least 5 types of information items are generally adopted to form feature information for classifier training. Of course, the extracted feature information may also include other information items, and is not limited in this embodiment in particular.
In this embodiment, assuming that the eight types of information items are taken as the extracted feature information, the feature information of the training sample can be represented as:
Figure BDA0002247230070000121
accordingly, the feature information of each training subsample set can be expressed as follows:
Figure BDA0002247230070000122
wherein N is N0+N1+N2,N0、N1、N2And D is 8, namely the extracted characteristic information comprises the eight types of information items.
In the test sample, the eight types of information items can be used as the extracted feature information, and are represented as follows:
Figure BDA0002247230070000131
wherein C ═ C0+C1+C2,C0、C1、C2Respectively representing the number of normal URLs, SQL injection attack URLs and XSS attack URLs in the test sample, and D is 8.
The process of training the support vector machine is essentially a process of finding an optimal hyperplane in the sample space based on the training samples to separate the samples of different classes. And the optimal hyperplane is a hyperplane in which different types of samples in the training samples are not separated by the optimal hyperplane in error and the distance between the sample data closest to the optimal hyperplane and the optimal hyperplane is the largest. The process of training the support vector machine is the process of optimizing and obtaining the optimal hyperplane, and can be converted into the minimization problem of an objective function, and the constructed objective function can be as follows:
Figure BDA0002247230070000132
wherein w represents a normal vector, determines the direction of the hyperplane, b represents a displacement, determines the distance between the hyperplane and the origin, C' is a constant, and ξiRepresenting the relaxation variable. If the optimal hyperplane is determined, parameters w and b for determining the optimal hyperplane need to be determined.
In order to reduce the displacement of the obtained optimal hyperplane and reduce the interference of noise samples with feature information such as insignificant or poor features on the classifier, a constraint term containing displacement information may be added to the objective function, and in this embodiment, the constraint term may be b 2And/2, in other possible implementations, other forms of constraint items including displacement information may also be possible, and this embodiment is not particularly limited. The objective function after adding the constraint term is as follows:
Figure BDA0002247230070000133
converting the objective function into a dual problem by a quadratic relaxation variable algorithm as follows:
Figure BDA0002247230070000141
wherein alpha isiIs a lagrange multiplier.
Order:
Figure BDA0002247230070000142
an optimization problem of the form:
Figure BDA0002247230070000143
wherein:
Figure BDA0002247230070000144
Figure BDA0002247230070000145
in this embodiment, for each training subsample set, the normal plane w of the corresponding support vector machine may be constructed from the training subsample set, and the order is:
Figure BDA0002247230070000146
wherein γ contains the serial numbers of all samples in a group of training subsamples, and w is substituted into the above optimization formula to obtain the following optimization formula:
Figure BDA0002247230070000147
through the conversion process, the problem of optimizing w and b can be converted into the Lagrange multiplier alphaiAnd b, optimization problems.
Based on the minimized optimization problem, parameters of the hyperplane are continuously optimized through learning of feature information of each sample in the training subsamples, and therefore the optimal hyperplane capable of well distinguishing URLs of different categories is obtained.
And respectively training the constructed support vector machine by utilizing a plurality of groups of different training subsamples obtained by division to obtain a plurality of trained classifiers. And then testing each obtained classifier by using the test sample, and selecting the classifier with better performance from the classifiers. Alternatively, referring to fig. 4, a classifier satisfying a preset condition may be selected from a plurality of classifiers by:
Step S341, for each classifier, performing classification and discrimination on the test sample by using the classifier, and comparing a classification and discrimination result of each sample in the test sample with a sample label of each sample.
Step S342, if the classification and determination result of the sample is consistent with the sample label of the sample, it is determined that the classification and determination result of the classifier on the sample is correct.
Step S343, if the classification and discrimination structure of the sample is not consistent with the sample label of the sample, it is determined that the classification and discrimination result of the classifier on the sample is incorrect.
And step S344, taking the classifier with the classification judgment accuracy higher than a preset threshold value as the classification model.
Each sample contained in the test sample is marked as a sample label, and the sample label is used for identifying the type of each sample, for example, the sample label of the uniform resource locator for normal network access may be 0, the sample label of the uniform resource locator for SQL attack may be 1, and the sample label of the uniform resource locator for XSS attack may be 2.
Through the trained classifier, the classification of each sample in the test sample can be distinguished. If the classification of the test sample by the classifier is accurately determined, the output result of the classifier on the test sample should be consistent with the sample label of the test sample, for example, if the sample label of the test sample is 1, the output result of the test sample output by the classifier should also be 1. For each classifier, the classification and judgment accuracy of the classifier can be obtained according to the classification and judgment conditions of the classifier on a plurality of samples in the test samples.
Therefore, the classifier with the classification judgment accuracy higher than the preset threshold value can be used as a classification model finally used for network detection application. The preset threshold may be 95% or 97%, and the like, and is not particularly limited in this embodiment, and specific values thereof may be set according to actual requirements.
Of course, in other possible embodiments, the classifier with the highest classification and discrimination accuracy may be used as the classification model from among the plurality of classifiers, and the specific determination manner is not limited in this embodiment and may be set accordingly according to actual requirements.
In this embodiment, in order to ensure that the classification discrimination accuracy of the obtained classification model can meet a certain requirement, the classification discrimination accuracy of the classifier can be used as the classification model only when the classification discrimination accuracy is higher than a preset threshold. If the classifier with the classification judgment accuracy higher than the preset threshold value does not exist in the plurality of classifiers obtained through the one-time loop iterative training, the step of obtaining the classification judgment accuracy of each classifier again can be executed until the classifier with the classification judgment accuracy higher than the preset threshold value can be obtained, wherein the step can be realized through the following modes:
And randomly dividing the training samples into a plurality of groups of different training subsamples, and continuously training the obtained classifier by using each group of training subsamples obtained by the division. And classifying and judging the test samples by using the classifiers which are continuously trained again, comparing the classification and judgment results of the samples in the test samples with the sample labels of the samples, and obtaining the classification and judgment accuracy of the trained classifiers according to the comparison results.
If the classifier with the classification discrimination accuracy higher than the preset threshold value does not exist after the secondary training, the process of re-obtaining the classification discrimination accuracy of each classifier is repeatedly executed until the classification discrimination accuracy of the trained classifier is higher than the preset threshold value, and the trained classifier with the classification discrimination accuracy higher than the preset threshold value is used as a classification model.
Therefore, the classification discrimination accuracy of the obtained classification model can be further improved through a mode of multiple times of training and testing.
In practical implementation, there may be a plurality of obtained classification models, that is, there may be a plurality of classifiers whose classification discrimination accuracy is higher than a preset threshold. In this case, please refer to fig. 5 in combination, when the network attack detection application is performed, the following steps may be specifically performed:
And S231, respectively importing the extracted feature information into each pre-established and trained classification model for classification detection, and obtaining a classification detection result output by each classification model.
Step S232, if the classification detection results output by the classification models are consistent, determining whether the website access request is a network attack request according to the classification detection results.
In order to further ensure the accuracy of detecting the cyber attack when the obtained classification models are multiple, whether the received website access request is a cyber attack request may be determined by combining the classification detection results of the multiple classification models.
The characteristic information of the uniform resource locator of the page to be accessed in the received website access request can be respectively imported into each classification model. If the extracted feature information includes a plurality of information items, the feature information imported into each classification model should include the plurality of information items.
If the classification detection results of the uniform resource locators to be detected of the classification models are consistent, whether the website access request is a network attack request or not can be determined based on the classification detection results. For example, if the classification detection results of the classification models are uniform resource locators of normal website access requests, it may be determined that the website access request is a normal network access request, and the request may be allowed to perform subsequent normal access.
If the classification detection result of one or more classification models in the plurality of classification models indicates that the website access request is a network attack request, the website access request can be intercepted, and whether the website access request is the network attack request is finally determined by other modes.
The other mode may be, for example, submitting the website access request to a background administrator for detection and determination, or performing classification detection after training a classification model, or detecting a ratio between a classification model that determines the website access request as a normal access request and a classification model that determines the website access request as a network attack request.
For example, if the number of classification models determined as normal access requests is far greater than the number of classification models determined as cyber attack requests, the website access request can be determined as a normal network access request. In addition, in other possible embodiments, other determination manners may be adopted for determination, and this is not particularly limited in this embodiment.
Through the mode, in the stage of training the support vector machine, the training samples can be divided into a group of training subsamples, the number of the group of samples does not exceed the preset value, and the training subsamples are beneficial to independently training the support vector machine. Therefore, the problems of overlong training time, slow convergence speed and overlow training efficiency of the support vector machine under the condition of large number of training samples are solved. And the classifier meeting the preset conditions is selected from the obtained plurality of classifiers to serve as a classification model for finally carrying out network attack detection application, so that the problems that the learning of the feature information is insufficient and the discrimination accuracy of the classifier is reduced due to the reduction of the number of training samples of each classifier are avoided to a certain extent.
Further, in the stage of network attack detection application, when a plurality of classification models are obtained, the plurality of classification models can be combined to detect and judge the website access request. Whether the website access request is a network attack request or not is finally determined by combining the detection and judgment results of the plurality of classification models, so that the accuracy of detection and judgment is further improved, and the phenomena of misjudgment and missing judgment existing when a single classification model is used for judgment are avoided.
Please refer to fig. 6, which is a block diagram of an electronic device according to another preferred embodiment of the present disclosure. The electronic device may be the server 100 described above. The electronic device includes a cyber attack detecting apparatus 140, a memory 120, a processor 110, and a communication unit 130.
The elements of the memory 120, the processor 110 and the communication unit 130 are electrically connected to each other directly or indirectly to realize the transmission or interaction of information. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The memory 120 stores software functional modules stored in the memory 120 in the form of software or Firmware (Firmware), and the processor 110 executes various functional applications and data processing by running software programs and modules stored in the memory 120, such as the network attack detection apparatus 140 in the embodiment of the present disclosure, so as to implement the network attack detection method in the embodiment of the present disclosure.
The Memory 120 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 120 is used for storing a program, and the processor 110 executes the program after receiving the execution instruction. The communication unit 130 is used for establishing communication with the client 200.
The processor 110 may be an integrated circuit chip having signal processing capabilities. The Processor 110 may be a general-purpose Processor including a Central Processing Unit (CPU), a Network Processor (NP), and the like. But may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present disclosure may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Referring to fig. 7, which is a functional block diagram of a network attack detecting device 140 according to another preferred embodiment of the present disclosure, the network attack detecting device 140 includes a receiving module 141, an extracting module 142, and a classification detecting module 143.
The receiving module 141 is configured to receive a website access request, where the website access request carries a uniform resource locator of a page to be accessed. The receiving module 141 may be configured to perform step S210 shown in fig. 2, and a detailed description of the step S210 may be referred to for a specific operation method.
And an extracting module 142, configured to extract and obtain feature information of the uniform resource locator. The extracting module 142 may be configured to execute step S220 shown in fig. 2, and the detailed description of step S220 may be referred to for a specific operation method.
The classification detection module 143 is configured to import the extracted feature information into a pre-established and trained classification model for classification detection, and determine whether the website access request is a network attack request according to a classification detection result, where the classification model is a classification model that is obtained by training based on a support vector machine in advance and according to different training subsamples respectively and meets a preset condition, each group of training subsamples respectively includes a training uniform resource locator for a normal network access request and a training uniform resource locator for a network attack request, and the number of samples in each group of training subsamples does not exceed a preset value. The classification detection module 143 may be configured to perform step S230 shown in fig. 2, and the detailed description of step S230 may be referred to for a specific operation method.
In a possible implementation manner of this embodiment, if there are a plurality of obtained classification models, the classification detection module 143 may be configured to determine whether the website access request is a network attack request by:
respectively importing the extracted feature information into each pre-established and trained classification model for classification detection to obtain a classification detection result output by each classification model;
and if the classification detection results output by the classification models are consistent, determining whether the website access request is a network attack request or not according to the classification detection results.
As a possible implementation manner, the feature information obtained by the above extraction includes at least any two of a length of the uniform resource locator, an external link, a preset symbol, a preset character, a feature keyword, a capital letter character frequency, a numeric character frequency, and a space character frequency.
In a possible implementation manner of this embodiment, the classification model may be pre-established and trained in the following ways:
acquiring a training sample and a test sample, wherein the training sample and the test sample respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request;
Dividing the training samples into a plurality of groups of different training subsamples, wherein the number of samples in each group of training subsamples does not exceed a preset value;
constructing a support vector machine, and utilizing each group of training subsamples to respectively train the support vector machine to obtain a plurality of classifiers obtained by training;
and classifying and distinguishing the test sample by using each classifier respectively, and obtaining the classifier meeting preset conditions according to the accuracy of classification and distinguishing of each classifier to serve as the classification model.
As a possible implementation manner, the above-constructed support vector machine includes an objective function for determining an optimal hyperplane of the support vector machine; and adding a constraint term containing displacement information into the objective function so as to reduce the displacement of the optimal hyperplane.
In a possible embodiment, each sample in the test sample is labeled with a sample label, and the classification model can be obtained by:
for each classifier, classifying and distinguishing the test samples by using the classifier, comparing the classification and distinguishing result of each sample in the test samples with the sample label of each sample, and if the classification and distinguishing result of a sample is consistent with the sample label of the sample, determining that the classification and distinguishing result of the classifier on the sample is correct;
And taking the classifier with the classification discrimination accuracy higher than a preset threshold value as the classification model.
In a possible implementation manner, when a classifier with a classification discrimination accuracy higher than a preset threshold is used as the classification model, the classification model can be specifically implemented by the following steps:
detecting whether a classifier with classification judgment accuracy higher than a preset threshold exists in the plurality of classifiers;
if not, the classification judgment accuracy of each classifier is obtained again, and the process of obtaining the classification judgment accuracy of each classifier again comprises the following steps:
randomly dividing the training sample into a plurality of groups of different training subsamples again, and continuously training the obtained classifier by using each group of training subsamples obtained by the division again;
classifying and judging the test samples by using the classifiers which are continuously trained again, comparing the classification and judgment results of the samples in the test samples with the sample labels of the samples, and obtaining the classification and judgment accuracy of the trained classifiers according to the comparison results;
if the classifier with the classification discrimination accuracy higher than the preset threshold value does not exist, the process of re-obtaining the classification discrimination accuracy of each classifier is repeatedly executed until the classification discrimination accuracy of the trained classifier is higher than the preset threshold value, and the trained classifier with the classification discrimination accuracy higher than the preset threshold value is used as the classification model.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.
Through the above description of the embodiments, those skilled in the art will clearly understand that the embodiments of the present disclosure may be implemented by hardware, or by software plus a necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the implementation scenarios of the present disclosure.
To sum up, the network attack detection method, the network attack detection device, the electronic device, and the readable storage medium provided by the embodiments of the present disclosure obtain a classification model by building and training based on a support vector machine in advance, extract and obtain feature information of a uniform resource locator of a page to be accessed in a received website access request when performing network attack detection, and import the obtained feature information into the classification model obtained by training for classification detection. And determining whether the website access request is a network attack request according to the classification detection result. The classification model is a classification model which is obtained by training according to different training subsamples and is based on a support vector machine in advance, and meets preset conditions, and the number of samples in each group of training subsamples does not exceed a preset value.
Therefore, the self-learning capability of the support vector machine is utilized to effectively improve the self-adaptability and the accuracy of the network attack detection on the basis of not increasing the hardware cost. And training is carried out based on the training subsamples of which the number of the groups of samples does not exceed the preset value, so that the model accuracy is guaranteed, the model training efficiency is improved, and the model training time is shortened.
In the embodiments provided in the present disclosure, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present disclosure may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present disclosure may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present disclosure. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that, in this document, terms such as "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only for the specific embodiments of the present disclosure, but the scope of the present disclosure is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present disclosure, and all the changes or substitutions should be covered within the scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (9)

1. A network attack detection method is applied to an attack detection server, and the method comprises the following steps:
receiving a website access request, wherein the website access request carries a uniform resource locator of a page to be accessed;
extracting and obtaining the characteristic information of the uniform resource locator;
the extracted characteristic information is imported into a pre-established and trained classification model for classification detection, and whether the website access request is a network attack request is determined according to a classification detection result, wherein the classification model is a classification model which is obtained by training according to different training subsamples based on a support vector machine in advance and meets a preset condition, each group of training subsamples respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of the network attack request, and the number of samples in each group of training subsamples is not more than a preset value;
The support vector machine comprises an objective function used for determining the optimal hyperplane of the support vector machine; and adding a constraint term containing displacement information into the objective function so as to reduce the displacement of the optimal hyperplane.
2. The cyber attack detecting method according to claim 1, wherein the classification model is pre-established and trained by:
acquiring a training sample and a test sample, wherein the training sample and the test sample respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request;
dividing the training samples into a plurality of groups of different training subsamples, wherein the number of samples in each group of training subsamples does not exceed a preset value;
constructing a support vector machine, and utilizing each group of training subsamples to respectively train the support vector machine to obtain a plurality of classifiers obtained by training;
and classifying and distinguishing the test sample by using each classifier respectively, and obtaining the classifier meeting preset conditions according to the accuracy of classification and distinguishing of each classifier to serve as the classification model.
3. The network attack detection method according to claim 2, wherein each sample in the test sample is labeled with a sample label, and the step of obtaining a classifier satisfying a preset condition according to an accuracy of classification discrimination of each classifier by performing classification discrimination on the test sample by using each classifier respectively as the classification model comprises:
For each classifier, classifying and distinguishing the test samples by using the classifier, comparing the classification and distinguishing result of each sample in the test samples with the sample label of each sample, and if the classification and distinguishing result of a sample is consistent with the sample label of the sample, determining that the classification and distinguishing result of the classifier on the sample is correct;
and taking the classifier with the classification discrimination accuracy higher than a preset threshold value as the classification model.
4. The network attack detection method according to claim 3, wherein the step of using a classifier with a classification discrimination accuracy higher than a preset threshold as the classification model comprises:
detecting whether a classifier with classification judgment accuracy higher than a preset threshold exists in the plurality of classifiers;
if not, the classification judgment accuracy of each classifier is obtained again, and the process of obtaining the classification judgment accuracy of each classifier again comprises the following steps:
randomly dividing the training sample into a plurality of groups of different training subsamples again, and continuously training the obtained classifier by using each group of training subsamples obtained by the division again;
classifying and judging the test samples by using the classifiers which are continuously trained again, comparing the classification and judgment results of the samples in the test samples with the sample labels of the samples, and obtaining the classification and judgment accuracy of the trained classifiers according to the comparison results;
If the classifier with the classification discrimination accuracy higher than the preset threshold value does not exist, the process of re-obtaining the classification discrimination accuracy of each classifier is repeatedly executed until the classification discrimination accuracy of the trained classifier is higher than the preset threshold value, and the trained classifier with the classification discrimination accuracy higher than the preset threshold value is used as the classification model.
5. The cyber attack detecting method according to claim 1, wherein the step of, when a plurality of classification models are provided, introducing the extracted feature information into a classification model that is established in advance and trained to perform classification detection, and determining whether the website access request is a cyber attack request according to a classification detection result includes:
respectively importing the extracted feature information into each pre-established and trained classification model for classification detection to obtain a classification detection result output by each classification model;
and if the classification detection results output by the classification models are consistent, determining whether the website access request is a network attack request or not according to the classification detection results.
6. The network attack detection method according to claim 1, wherein the extracted feature information includes at least any two of a length of the uniform resource locator, an external link, a preset symbol, a preset character, a feature keyword, an uppercase alphabetic character frequency, a numeric character frequency, and a space character frequency.
7. A network attack detection device, applied to an attack detection server, the device comprising:
the system comprises a receiving module, a processing module and a processing module, wherein the receiving module is used for receiving a website access request which carries a uniform resource locator of a page to be accessed;
the extraction module is used for extracting and obtaining the characteristic information of the uniform resource locator;
the classification detection module is used for importing the extracted feature information into a pre-established and trained classification model for classification detection, and determining whether the website access request is a network attack request according to a classification detection result, wherein the classification model is a classification model which is obtained by training according to different training subsamples based on a support vector machine in advance and meets a preset condition, each group of training subsamples respectively comprise a training uniform resource locator of a normal network access request and a training uniform resource locator of a network attack request, and the number of samples in each group of training subsamples is not more than a preset value;
the support vector machine comprises an objective function used for determining the optimal hyperplane of the support vector machine; and adding a constraint term containing displacement information into the objective function so as to reduce the displacement of the optimal hyperplane.
8. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the network attack detection method according to any one of claims 1 to 6 when executing the computer program.
9. A readable storage medium on which a computer program is stored, the computer program, when being executed by a processor, implementing the network attack detection method according to any one of claims 1 to 6.
CN201911021057.9A 2019-10-25 2019-10-25 Network attack detection method and device, electronic equipment and readable storage medium Active CN110808968B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911021057.9A CN110808968B (en) 2019-10-25 2019-10-25 Network attack detection method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911021057.9A CN110808968B (en) 2019-10-25 2019-10-25 Network attack detection method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN110808968A CN110808968A (en) 2020-02-18
CN110808968B true CN110808968B (en) 2022-02-11

Family

ID=69489194

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911021057.9A Active CN110808968B (en) 2019-10-25 2019-10-25 Network attack detection method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN110808968B (en)

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112131249A (en) * 2020-09-28 2020-12-25 绿盟科技集团股份有限公司 Attack intention identification method and device
CN112668913A (en) * 2020-12-31 2021-04-16 深圳前海微众银行股份有限公司 Network construction method, device, equipment and storage medium based on federal learning
CN112437099B (en) * 2021-01-27 2021-05-14 腾讯科技(深圳)有限公司 Network attack detection method and device, storage medium and electronic equipment
CN112968891B (en) * 2021-02-19 2022-07-08 山东英信计算机技术有限公司 Network attack defense method and device and computer readable storage medium
CN113312622A (en) * 2021-06-09 2021-08-27 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Method and device for detecting URL (Uniform resource locator)
CN113612765B (en) * 2021-07-30 2023-06-27 北京锐安科技有限公司 Website detection method and device, computer equipment and storage medium
CN113949528A (en) * 2021-09-09 2022-01-18 中云网安科技有限公司 Access control method and device based on flow data, storage medium and equipment
CN113904837A (en) * 2021-09-30 2022-01-07 北京天融信网络安全技术有限公司 Attack detection method, device, electronic equipment and medium
CN113965377A (en) * 2021-10-21 2022-01-21 北京天融信网络安全技术有限公司 Attack behavior detection method and device
CN114285641B (en) * 2021-12-24 2024-04-05 中国电信股份有限公司 Network attack detection method and device, electronic equipment and storage medium
CN114553523A (en) * 2022-02-21 2022-05-27 平安普惠企业管理有限公司 Attack detection method and device based on attack detection model, medium and equipment
CN114598552A (en) * 2022-03-29 2022-06-07 邹瀴 Interface access control method and device, electronic equipment and storage medium
CN115022060B (en) * 2022-06-13 2024-02-27 武汉思普崚技术有限公司 Real-time filtering method and device for network attack
CN115102773A (en) * 2022-06-29 2022-09-23 苏州浪潮智能科技有限公司 Smuggling attack detection method, system, equipment and readable storage medium
CN115118514A (en) * 2022-07-11 2022-09-27 深信服科技股份有限公司 Data detection method, device, equipment and medium
CN115987620B (en) * 2022-12-21 2023-11-07 北京天云海数技术有限公司 Method and system for detecting web attack

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103106262B (en) * 2013-01-28 2016-05-11 新浪网技术(中国)有限公司 The method and apparatus that document classification, supporting vector machine model generate
CN104217160B (en) * 2014-09-19 2017-11-28 中国科学院深圳先进技术研究院 A kind of Chinese detection method for phishing site and system
CN105631414B (en) * 2015-12-23 2019-04-05 上海理工大学 A kind of vehicle-mounted multi-obstacle avoidance sorter and method based on Bayes classifier
CN106203485A (en) * 2016-07-01 2016-12-07 北京邮电大学 A kind of parallel training method and device of support vector machine
CN108573146A (en) * 2017-03-07 2018-09-25 华为技术有限公司 A kind of malice URL detection method and device
CN107577945B (en) * 2017-09-28 2021-03-23 创新先进技术有限公司 URL attack detection method and device and electronic equipment
CN108123908B (en) * 2017-12-14 2020-10-27 杭州电子科技大学 Improved SVM (support vector machine) equalization method and system for NG-PON (NG-Passive optical network)
CN108154178A (en) * 2017-12-25 2018-06-12 北京工业大学 Semi-supervised support attack detection method based on improved SVM-KNN algorithms
CN108259494B (en) * 2018-01-17 2020-10-02 北京邮电大学 Network attack detection method and device
CN108171280A (en) * 2018-01-31 2018-06-15 国信优易数据有限公司 A kind of grader construction method and the method for prediction classification
CN109740634A (en) * 2018-12-11 2019-05-10 中科恒运股份有限公司 Disaggregated model training method and terminal device
CN109670302B (en) * 2018-12-19 2023-04-18 浙江工业大学 SVM-based classification method for false data injection attacks

Also Published As

Publication number Publication date
CN110808968A (en) 2020-02-18

Similar Documents

Publication Publication Date Title
CN110808968B (en) Network attack detection method and device, electronic equipment and readable storage medium
CN108259494B (en) Network attack detection method and device
US11463476B2 (en) Character string classification method and system, and character string classification device
Jerlin et al. A new malware detection system using machine learning techniques for API call sequences
US9525702B2 (en) Similarity search and malware prioritization
US11580760B2 (en) Visual domain detection systems and methods
CN109005145B (en) Malicious URL detection system and method based on automatic feature extraction
CN111585955B (en) HTTP request abnormity detection method and system
Goswami et al. An Unsupervised Method for Detection of XSS Attack.
CN110191096B (en) Word vector webpage intrusion detection method based on semantic analysis
CN103577755A (en) Malicious script static detection method based on SVM (support vector machine)
KR101858620B1 (en) Device and method for analyzing javascript using machine learning
Liu et al. An efficient multistage phishing website detection model based on the CASE feature framework: Aiming at the real web environment
WO2020082763A1 (en) Decision trees-based method and apparatus for detecting phishing website, and computer device
CN113347177A (en) Phishing website detection method, phishing website detection system, electronic device and readable storage medium
CN111460803B (en) Equipment identification method based on Web management page of industrial Internet of things equipment
CN114357443A (en) Malicious code detection method, equipment and storage medium based on deep learning
Hai et al. Detection of malicious URLs based on word vector representation and ngram
Gao et al. Detecting SQL injection attacks using grammar pattern recognition and access behavior mining
US10158664B2 (en) Malicious code detection
Gong et al. Model uncertainty based annotation error fixing for web attack detection
CN113067792A (en) XSS attack identification method, device, equipment and medium
CN110855635B (en) URL (Uniform resource locator) identification method and device and data processing equipment
Prasetio et al. Cross-site Scripting Attack Detection Using Machine Learning with Hybrid Features
Mumu et al. Malicious URL detection using machine learning and deep learning algorithms

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant