CN112241358A - Method and system for determining WEB application 0day bug - Google Patents
Method and system for determining WEB application 0day bug Download PDFInfo
- Publication number
- CN112241358A CN112241358A CN201910646714.2A CN201910646714A CN112241358A CN 112241358 A CN112241358 A CN 112241358A CN 201910646714 A CN201910646714 A CN 201910646714A CN 112241358 A CN112241358 A CN 112241358A
- Authority
- CN
- China
- Prior art keywords
- data
- target detection
- determining
- web application
- detection data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 238000001514 detection method Methods 0.000 claims abstract description 110
- 238000003062 neural network model Methods 0.000 claims abstract description 38
- 230000002159 abnormal effect Effects 0.000 claims abstract description 33
- 230000003068 static effect Effects 0.000 claims abstract description 18
- 230000011218 segmentation Effects 0.000 claims abstract description 11
- 238000012545 processing Methods 0.000 claims abstract description 9
- 238000006243 chemical reaction Methods 0.000 claims abstract description 8
- 239000011159 matrix material Substances 0.000 claims description 28
- 238000012795 verification Methods 0.000 claims description 28
- 238000012549 training Methods 0.000 claims description 21
- 238000012216 screening Methods 0.000 claims description 15
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 238000013528 artificial neural network Methods 0.000 claims description 6
- 210000002569 neuron Anatomy 0.000 claims description 6
- 238000007781 pre-processing Methods 0.000 claims description 2
- 238000012163 sequencing technique Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 abstract description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000000586 desensitisation Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 229940050561 matrix product Drugs 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/366—Software debugging using diagnostics
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
Abstract
Compared with the prior art, the method and the system for determining the 0day bug of the WEB application screen the request data of the WEB application and judge whether the request data belong to static resource request data or not; if the non-static resource requests data, judging whether known vulnerability attacks exist or not by comparing the non-static resource requests data with a known vulnerability library; if the target detection data are abnormal data of known bugs, performing word segmentation processing on the target detection data to obtain target character string data; carrying out quantitative conversion on the target character string data to obtain target vector data; inputting the target vector data into the trained neural network model to obtain a predicted value; and judging whether the predicted value is within a preset threshold range, and determining whether a WEB application 0day bug exists in the target detection data. According to the method and the device, on the premise that the WEB application 0day vulnerability detection has a high success rate, the investment of human resources can be greatly reduced, and the detection environment maintenance cost is greatly reduced.
Description
Technical Field
The application relates to the technical field of computer information security, in particular to a technology for determining a WEB application 0day bug.
Background
In the network attack aiming at the WEB application, the vulnerability existing in the WEB application is often a common means for an attacker to effectively attack and further gain illegal benefits. When the WEB application has a leak, the WEB application is actively discovered by non-attackers such as officers or white hats, and is disclosed to the public at the first time after a response scheme is formed through emergency processing, so that the WEB application with the response scheme becomes a known leak, and cannot be a means for gaining illegal benefits. But when the WEB application has a vulnerability, the vulnerability is mastered by a certain finder or some finders, the official is not informed to repair the vulnerability, and the vulnerability is not disclosed to the public, so that effective attack is implemented by utilizing the vulnerability to gain illegal benefits, and the vulnerability is the WEB application 0day vulnerability.
Therefore, as no coping scheme aiming at the WEB application 0day vulnerability exists, the WEB application 0day vulnerability attack can cause serious consequences in WEB application and often has great abruptness and destructiveness.
In the prior art, the following methods are mainly used for determining the 0day bug of the WEB application:
the method comprises the following steps: and manually screening the access log of the WEB application, finding the access of suspected abnormal behaviors, and performing related verification to determine whether a 0day bug exists. Because the access log of the WEB application generally has larger information quantity, the access log is screened only by manpower, the detection efficiency is very low, and in addition, very large human resources are required to be invested, and the human cost is very high.
The second method comprises the following steps: and (3) from the aspect of user access behaviors, carrying out safety score scoring by combining dimensions such as file monitoring, WEB application process behavior monitoring, system anomaly analysis and the like, and considering that the WEB application is invaded when the safety score exceeds a preset threshold value. The method is mainly used for identifying the invasion to the WEB application, only has the capacity of distinguishing normal behaviors from abnormal behaviors, and does not have the capacity of classifying known vulnerabilities or 0day vulnerabilities in the abnormal behaviors. That is, when the abnormal behavior is identified, some 0day bug attacks may be included in the detected abnormal behavior, but the detected abnormal behavior does not have the capability of distinguishing the known bug from the 0day bug and has a limitation on the detection capability of the unknown bug attacks.
The third method comprises the following steps: the method is used for opening a document loading function aiming at one or a certain type of specific software and detecting whether a WEB application 0day bug exists. The method has the defects that firstly, the detection and identification object is single and only aims at one or a certain type of specific software; secondly, the single identified function point is detected, and only the function of opening the loaded document is aimed at. Moreover, the method needs to consider constructing running environments of different versions in the virtual machine according to a plurality of branch versions, patch information and the like of the software, open and run suspicious documents in the virtual running environment of each version, and judge whether abnormal behaviors exist according to conditions such as an API called during the running of the documents. Therefore, the detection environment required by the method is complex to construct and high in maintenance cost.
In summary, providing a more optimized method for determining the 0day bug of the WEB application becomes an urgent problem to be solved.
Disclosure of Invention
The application aims to provide a method and a system for determining a WEB application 0day bug.
According to one aspect of the application, a method for determining a 0day vulnerability of a WEB application is provided, wherein the method comprises the following steps:
screening request data of the WEB application to be detected, and determining target detection data;
determining whether an attack for a known vulnerability exists based on the target detection data;
when the target detection data does not have an attack aiming at a known bug, determining target vector data based on the target detection data;
determining a predicted value based on the target vector data through a neural network model, wherein the predicted value is used for judging whether a 0day bug exists;
judging whether the predicted value is within a preset threshold range, and determining that a 0day bug exists when the predicted value is not within the preset threshold range.
Preferably, the screening the request data of the WEB application to be detected, and the determining the target detection data includes: and judging whether the request data of the to-be-detected WEB application is static resource request data or not, and determining the request data of the to-be-detected WEB application as target detection data if the request data of the to-be-detected WEB application is not the static resource request data.
Preferably, the determining whether there is an attack against a known vulnerability based on the target detection data comprises: and comparing the target detection data with all known vulnerabilities in a known vulnerability library, and determining that the target detection data does not have an attack aiming at the known vulnerabilities when the corresponding known vulnerabilities are not matched in the known vulnerability library.
Preferably, the determining target vector data based on the target detection data comprises:
performing word segmentation processing on the target detection data to obtain target character string data;
and vectorizing conversion is carried out on the target character string data to obtain the target vector data.
Specifically, the determining, by the neural network model, a predicted value based on the target vector data includes: inputting the target vector data into a neural network model, performing matrix multiplication on an input layer weight matrix in the neural network model and the target vector data to generate a first layer input matrix of a hidden layer, then performing matrix multiplication on the first layer input matrix and a next layer weight matrix of the hidden layer to generate a hidden layer and a next layer input matrix, continuing the steps until the operation is performed to an output layer, performing product multiplication on the last layer input matrix of the hidden layer and the output layer weight matrix to generate an output value of the output layer, and determining the output value of the output layer as the predicted value, wherein the size of each layer weight matrix in the hidden layer is the product of the number of neurons in the next layer and the number of neurons in the current layer, and the weight matrices in each layer of the input layer, the hidden layer and the output layer are determined after training.
Preferably, the generating of the neural network model comprises: acquiring an abnormal data set and a normal data set; and training the abnormal data set and the normal data set by adopting a neural network learning algorithm to generate the neural network model, wherein the abnormal data set is a data set comprising all known vulnerabilities.
Specifically, before the training of the abnormal data set and the normal data set, the method further includes:
performing word segmentation on data in all samples of the abnormal data set and the normal data set;
counting the number of samples of each word in all samples, sequencing each word according to the number of samples, and assigning a sequence number uniquely corresponding to the word to form a dictionary;
and combining the dictionary to carry out vectorization conversion on the samples, wherein each sample correspondingly obtains a group of vector data for training.
Further, the method for determining a 0day vulnerability of a WEB application further includes: acquiring a secondary verification result of the target detection data corresponding to the determined existence of the 0day bug; and when the secondary verification result of the target detection data corresponding to the 0day vulnerability is normal data, adding the target detection data into the normal data set to iteratively update the neural network model.
Preferably, the method for determining a 0day vulnerability of a WEB application further includes: and when the secondary verification result of the target detection data corresponding to the 0day bug is abnormal data and the target detection data has an attack aiming at the known bug, updating the known bug base.
According to another aspect of the present application, there is also provided a system for determining a 0day vulnerability of a WEB application, wherein the system includes:
the screening module is used for screening the request data of the WEB application to be detected and determining target detection data;
a known vulnerability detection module for determining whether there is an attack against a known vulnerability based on the target detection data;
the prediction module is used for determining target vector data based on the target detection data when the target detection data has no attack to a known bug, and determining a predicted value based on the target vector data through a neural network model;
and the result judging module is used for judging whether the predicted value is within a preset threshold range, and determining that a 0day bug exists when the predicted value is not within the preset threshold range.
Preferably, the system for determining a 0day vulnerability of a WEB application further includes:
the abnormal data set module is used for storing known bugs of all WEB applications and other known types of abnormal data;
the normal data set module is used for storing known types of normal data of all WEB applications;
and the training module is used for preprocessing the data in the abnormal data set module and the normal data set module and training to generate a neural network model by adopting a neural network learning algorithm.
Further, the system for determining a 0day vulnerability of a WEB application further includes:
and the secondary verification module is used for performing secondary verification on the target detection data corresponding to the bug of 0day to obtain a secondary verification result, and updating the normal data set and/or the abnormal data set based on the secondary verification result so as to update the neural network model in an iterative manner.
The method comprises the steps of screening request data of WEB application to be detected, determining target detection data, then determining whether attack to known bugs exists or not based on the target detection data, wherein when the target detection data do not have the attack to the known bugs, determining target vector data based on the target detection data, then determining a predicted value based on the target vector data through a neural network model, wherein the predicted value is used for judging whether 0day bugs exist or not, and determining whether 0day bugs exist or not within a preset threshold range according to the judgment. By the method, whether the request data of the WEB application has 0day vulnerability attack or not can be quickly and efficiently identified without investing a lot of human resources and detecting the environmental maintenance cost, and the method has high practical value and market value.
Moreover, a secondary verification result of the target detection data corresponding to the determined existence of the 0day bug is obtained, and when the secondary verification result of the target detection data corresponding to the 0day bug is normal data, the target detection data is added into the normal data set so as to update the neural network model in an iterative manner; and when the secondary verification result of the target detection data corresponding to the 0day bug is abnormal data and the target detection data has an attack aiming at the known bug, updating the known bug base. The method further improves the detection success rate, dynamically updates the data set, and is beneficial to improving the success rate of subsequently determining the WEB application 0day bug.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 illustrates a flow diagram of a method for determining a WEB application 0day vulnerability in accordance with an aspect of the subject application;
FIG. 2 illustrates a block diagram of a system for determining a WEB application 0day vulnerability according to another aspect of the subject application;
FIG. 3 illustrates a block diagram of a system for training a generative neural network model, according to another aspect of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present invention is described in further detail below with reference to the attached drawing figures.
In a typical configuration of the present application, each module and trusted party of the system includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include non-transitory computer readable media (transient media), such as modulated data signals and carrier waves.
In order to further explain the technical means and effects adopted by the present application, the following description clearly and completely describes the technical solution of the present application with reference to the accompanying drawings and preferred embodiments.
Fig. 1 is a flowchart illustrating a method for determining a 0day vulnerability of a WEB application according to an aspect of the present application, where the method of an embodiment includes:
s11, screening request data of the WEB application to be detected, and determining target detection data;
s12 determining whether there is an attack against a known vulnerability based on the target detection data;
s13, when the target detection data do not have an attack to a known bug, determining target vector data based on the target detection data;
s14 determining a predicted value based on the target vector data through a neural network model, wherein the predicted value is used for judging whether a 0day bug exists;
s15, judging whether the predicted value is within a preset threshold range, and determining that a 0day bug exists when the predicted value is not within the preset threshold range.
In the present application, the method is performed by a device 1, the device 1 is a computer device and/or a cloud, the computer device includes but is not limited to a personal computer, a notebook computer, an industrial computer, a network host, a single network server, a plurality of network server sets; the Cloud is made up of a large number of computers or web servers based on Cloud Computing (Cloud Computing), which is a type of distributed Computing, a virtual supercomputer consisting of a collection of loosely coupled computers.
The computer device and/or cloud are merely examples, and other existing or future devices and/or resource sharing platforms, as applicable to the present application, are also intended to be included within the scope of the present application and are hereby incorporated by reference.
In this embodiment, in the step S11, the request data of the WEB application to be detected is screened to determine target detection data.
When the device 1 acquires request data of a to-be-detected WEB application, the data is firstly screened, where the device 1 may screen each request data acquired each time, or the device 1 may further screen after acquiring a certain amount of request data, or may acquire request data within a preset time interval, and screen once at every preset time interval. By means of screening, request data which are obviously not 0day bugs can be filtered, useless detection is avoided, and detection efficiency is improved.
Preferably, the screening the request data of the WEB application to be detected, and the determining the target detection data includes: and judging whether the request data of the to-be-detected WEB application is static resource request data or not, and determining the request data of the to-be-detected WEB application as target detection data if the request data of the to-be-detected WEB application is not the static resource request data.
Here, the static resources include, but are not limited to, data resources such as pictures, js, css, etc. which are obviously not 0day vulnerabilities. The format of the static resource may be preset, when the request data of the to-be-detected WEB application is acquired, the format included in the request data is matched with the preset format of the static resource, if the acquired request data of the to-be-detected WEB application does not include the preset format of the static resource, the request data is non-static resource request data, and the request data of the to-be-detected WEB application is determined as target detection data.
The request data of the WEB application aiming at the static resource is GET or HEAD based on a request method, and the path part in the URL does not contain any character with a directory traversal and/or truncation feature.
In this embodiment, in the step S12, the determining whether there is an attack against a known vulnerability based on the target detection data.
Preferably, the target detection data is compared with all known vulnerabilities in a known vulnerability library, and when no corresponding known vulnerability is matched in the known vulnerability library, it is determined that the target detection data does not have an attack against the known vulnerability. Here, the known vulnerability library stores existing known vulnerabilities.
And comparing to determine whether an attack aiming at the known vulnerability exists in the target detection data through some detection methods. The detection method is designed according to attack characteristics, vulnerability certification and/or vulnerability principles of known vulnerabilities and used for detecting whether the target detection data is targeted at the known vulnerability attacks. For example, in combination with features of various known vulnerabilities, detection is performed to detect whether the target detection data contains an attack against the known vulnerabilities by using methods including, but not limited to, regular expression matching, feature string matching, and/or certain logic judgment methods.
In this embodiment, in step S13, when there is no attack on the target detection data against a known bug, target vector data is determined based on the target detection data. The target vector data is obtained by processing the target detection data and is used for representing the target detection data.
Preferably, performing word segmentation processing on the target detection data to obtain target character string data, wherein word segmentation processing is performed on the target detection data according to a word forming natural word as a word segmentation rule to obtain target character string data; furthermore, vectorization conversion is carried out on the target character string data to obtain the target vector data.
And converting the target character string data into a vector consisting of a group of numbers by vectorization according to a preset dictionary to obtain the target vector data. Wherein the number is not limited to a binary, decimal, or hexadecimal number, wherein the target vector data size is determined by target string data.
Continuing in this embodiment, in step S14, the determining, by the neural network model, a predicted value based on the target vector data, wherein the predicted value is used to determine whether a 0day bug exists.
Preferably, the target vector data is input into a neural network model; performing data calculation on the target vector data to obtain a predicted value, specifically, performing matrix product on an input layer weight matrix in the neural network model and the target vector data to generate a first layer input matrix of a hidden layer, then performing product on the first layer input matrix and a next layer weight matrix of the hidden layer to generate a hidden layer and a next layer input matrix, continuing the steps until the operation is performed to an output layer, performing product on the last layer input matrix of the hidden layer and the output layer weight matrix at the output layer to generate an output value of the output layer, and determining the output value of the output layer as the predicted value, wherein the size of each layer weight matrix in the hidden layer is the product of the number of neurons in the next layer and the number of neurons in the local layer; and training the weight matrixes of the input layer, the hidden layer and the output layer to determine the weight matrixes.
Preferably, the neural network model is generated after training, and includes: acquiring an abnormal data set and a normal data set; and training the abnormal data set and the normal data set by adopting a neural network learning algorithm to generate the neural network model, wherein the abnormal data set is a data set comprising all known vulnerabilities. Wherein the abnormal data set and the normal data set are dynamically updated.
Preferably, before training the abnormal data set and the normal data set, the method further includes: segmenting the data in all samples of the abnormal data set and the normal data set, for example, segmenting the data in the samples by using natural words as segmentation rules; counting the number of samples of each word appearing in all samples, sorting each word according to the number of samples, for example, sorting each word according to descending order of the number of samples, and assigning a sequence number uniquely corresponding to the word, for example, the sequence number is increased by a natural number from 1 to form a dictionary; and combining the dictionary to carry out vectorization conversion on the samples, wherein each sample correspondingly obtains a group of vector data for training. Specifically, each sample document in the data set is segmented, and the dictionary is compared according to the segmentation result, so that word-to-number mapping (sequence number corresponding to a word) is formed, and each sample corresponds to one group of vector data.
In this embodiment, in step S15, the determining unit determines whether the predicted value is within a preset threshold range, and determines that a 0day bug exists when the predicted value is not within the preset threshold range. And determining whether the target detection data has attack of a 0day bug or not by judging whether the predicted value is within a preset threshold range or not. And setting the preset threshold range as a range without 0day bug.
Wherein the recall rate of the attack is identified by adjusting a threshold calculation algorithm, and the threshold value for maximizing the recall rate is set as the final threshold value on the premise of ensuring enough accuracy (for example, 97%).
Preferably, the method for determining a 0day vulnerability of a WEB application further includes step S16 (not shown), obtaining a secondary verification result of the target detection data corresponding to the determined existence of the 0day vulnerability; specifically, when the secondary verification result of the target detection data corresponding to the 0day bug is normal data, adding the target detection data into the normal data set to iteratively update the neural network model; and when the secondary verification result of the target detection data corresponding to the 0day bug is abnormal data and the target detection data has an attack aiming at the known bug, updating the known bug base.
Wherein the secondary verification includes, but is not limited to, being performed by a manual review mechanism of a professional safety researcher. Specifically, the security researcher further examines the target detection data corresponding to the existence of the 0day bug by combining professional knowledge and related data retrieval through a manual reexamination mechanism so as to determine whether the existence of the 0day bug attack is misjudged by normal data or known bug attacks.
Specifically, if the normal data is misjudged, it is indicated that misjudgment exists in the trained neural network model detection, further updating iteration is needed, and the target detection data is added into a normal data set for iterative updating training of the neural network model. And if the target detection data is misjudged by the known vulnerability, the target detection data is added into the known vulnerability library by indicating that the known vulnerability library needs to be updated.
Further, if the attack is not misjudged, further manual verification work can be carried out, so that the attack can be ensured to achieve the effect of implementing the attack. Specifically, a security researcher performs professional data processing (such as desensitization) on the target detection data, then performs playback verification of the requested traffic, and further confirms the attack effect of the target detection data by combining the operation condition of the WEB application. And if the attack effect can be implemented, indicating that the target detection data has 0day bug attack.
FIG. 2 is a block diagram of a system for determining a WEB application 0day vulnerability according to another aspect of the present application, wherein the system comprises:
the screening module 21 is configured to screen request data of a to-be-detected WEB application, and determine target detection data;
a known vulnerability detection module 22 for determining whether there is an attack against a known vulnerability based on the target detection data;
the prediction module 23 is configured to, when the target detection data does not have an attack against a known bug, determine target vector data based on the target detection data, and determine a predicted value based on the target vector data through the neural network model 25;
and the result judging module 24 is configured to judge whether the predicted value is within a preset threshold range, and determine that a 0day bug exists when the predicted value is not within the preset threshold range.
Preferably, the system for determining a 0day vulnerability of a WEB application further includes:
and a secondary verification module 26 (not shown) for performing secondary verification on the target detection data corresponding to the vulnerability of 0day determined to exist, obtaining a secondary verification result, and updating the normal data set and/or the abnormal data set based on the secondary verification result to iteratively update the neural network model 25.
FIG. 3 illustrates a block diagram of a system for training a generative neural network model 25, according to another aspect of the present application, wherein the system comprises:
an abnormal data set module 31, configured to store known vulnerabilities and other known types of abnormal data of all WEB applications;
a normal data set module 32, configured to store known types of normal data of all WEB applications;
and the training module 33 is configured to pre-process the data in the abnormal data set module and the normal data set module, and train and generate the neural network model 25 by using a neural network learning algorithm.
According to yet another aspect of the present application, there is also provided a computer readable medium having stored thereon computer readable instructions executable by a processor to implement the foregoing method.
According to another aspect of the present application, there is also provided an apparatus for determining a 0day vulnerability of a WEB application, wherein the apparatus includes:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform operations of the method as previously described.
For example, the computer readable instructions, when executed, cause the one or more processors to: screening request data of WEB application, and judging whether the request data belongs to static resource request data; matching the non-static resource request data with a known vulnerability library, and judging whether known vulnerability attacks exist or not; performing word segmentation processing on target detection data to obtain target character string data; carrying out quantitative conversion on the target character string data to obtain target vector data; inputting the target vector data into the trained neural network model to obtain a predicted value; and judging whether the predicted value is within a preset threshold range, and determining whether a WEB application 0day bug exists in the target detection data.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Claims (14)
1. A method for determining a WEB application 0day vulnerability, the method comprising:
screening request data of the WEB application to be detected, and determining target detection data;
determining whether an attack for a known vulnerability exists based on the target detection data;
when the target detection data does not have an attack aiming at a known bug, determining target vector data based on the target detection data;
determining a predicted value based on the target vector data through a neural network model, wherein the predicted value is used for judging whether a 0day bug exists;
judging whether the predicted value is within a preset threshold range, and determining that a 0day bug exists when the predicted value is not within the preset threshold range.
2. The method according to claim 1, wherein the screening the request data of the WEB application to be detected and the determining the target detection data comprises:
and judging whether the request data of the to-be-detected WEB application is static resource request data or not, and determining the request data of the to-be-detected WEB application as target detection data if the request data of the to-be-detected WEB application is not the static resource request data.
3. The method of claim 1 or 2, wherein the determining whether an attack is present for a known vulnerability based on the target detection data comprises:
and comparing the target detection data with all known vulnerabilities in a known vulnerability library, and determining that the target detection data does not have an attack aiming at the known vulnerabilities when the corresponding known vulnerabilities are not matched in the known vulnerability library.
4. The method of any of claims 1-3, wherein the determining target vector data based on the target detection data comprises:
performing word segmentation processing on the target detection data to obtain target character string data;
and vectorizing conversion is carried out on the target character string data to obtain the target vector data.
5. The method of any one of claims 1 to 4, wherein the determining, by a neural network model, a predicted value based on the target vector data comprises:
inputting the target vector data into a neural network model;
generating a first-layer input matrix of a hidden layer by performing matrix multiplication on the weight matrix of the input layer in the neural network model and the target vector data, then generating a second-layer input matrix of the hidden layer by multiplying the first-layer input matrix of the hidden layer by the weight matrix of the next-layer weight matrix of the hidden layer, continuing the steps until the operation is carried out to an output layer, generating an output value of the output layer by multiplying the last-layer input matrix of the hidden layer by the weight matrix of the output layer in the output layer, and determining the output value of the output layer as the predicted value, wherein the size of each-layer weight matrix in the hidden layer is the product of the number of neurons in the next layer and the number of neurons; and training the weight matrixes of the input layer, the hidden layer and the output layer to determine the weight matrixes.
6. The method of any one of claims 1 to 5, wherein the generating of the neural network model comprises:
acquiring an abnormal data set and a normal data set;
and training the abnormal data set and the normal data set by adopting a neural network learning algorithm to generate the neural network model, wherein the abnormal data set is a data set comprising all known vulnerabilities.
7. The method of claim 6, wherein prior to training the abnormal data set and the normal data set, further comprising:
performing word segmentation on data in all samples of the abnormal data set and the normal data set;
counting the number of samples of each word in all samples, sequencing each word according to the number of samples, and assigning a sequence number uniquely corresponding to the word to form a dictionary;
and combining the dictionary to carry out vectorization conversion on the samples, wherein each sample correspondingly obtains a group of vector data for training.
8. The method according to claim 6 or 7, characterized in that the method further comprises:
acquiring a secondary verification result of the target detection data corresponding to the determined existence of the 0day bug;
and when the secondary verification result of the target detection data corresponding to the 0day vulnerability is normal data, adding the target detection data into the normal data set to iteratively update the neural network model.
9. The method of claim 8, further comprising:
and when the secondary verification result of the target detection data corresponding to the 0day bug is abnormal data and the target detection data has an attack aiming at the known bug, updating the known bug base.
10. A system for determining a WEB application 0day vulnerability, the system comprising:
the screening module is used for screening the request data of the WEB application to be detected and determining target detection data;
a known vulnerability detection module for determining whether there is an attack against a known vulnerability based on the target detection data;
the prediction module is used for determining target vector data based on the target detection data when the target detection data has no attack to a known bug, and determining a predicted value based on the target vector data through a neural network model;
and the result judging module is used for judging whether the predicted value is within a preset threshold range, and determining that a 0day bug exists when the predicted value is not within the preset threshold range.
11. The system of claim 10, further comprising:
the abnormal data set module is used for storing known bugs of all WEB applications and other known types of abnormal data;
the normal data set module is used for storing known types of normal data of all WEB applications;
and the training module is used for preprocessing the data in the abnormal data set module and the normal data set module and training to generate a neural network model by adopting a neural network learning algorithm.
12. The system of claim 11, further comprising:
and the secondary verification module is used for performing secondary verification on the target detection data corresponding to the bug of 0day to obtain a secondary verification result, and updating the normal data set and/or the abnormal data set based on the secondary verification result so as to update the neural network model in an iterative manner.
13. A computer-readable medium, wherein,
stored thereon computer readable instructions executable by a processor to implement the method of any one of claims 1 to 9.
14. An apparatus for determining a WEB application 0day vulnerability, wherein the apparatus comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910646714.2A CN112241358A (en) | 2019-07-17 | 2019-07-17 | Method and system for determining WEB application 0day bug |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910646714.2A CN112241358A (en) | 2019-07-17 | 2019-07-17 | Method and system for determining WEB application 0day bug |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112241358A true CN112241358A (en) | 2021-01-19 |
Family
ID=74167287
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910646714.2A Pending CN112241358A (en) | 2019-07-17 | 2019-07-17 | Method and system for determining WEB application 0day bug |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112241358A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245506A (en) * | 2015-09-23 | 2016-01-13 | 上海云盾信息技术有限公司 | Network attack defense method and equipment |
| CN106790292A (en) * | 2017-03-13 | 2017-05-31 | 摩贝(上海)生物科技有限公司 | The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis |
| CN109376531A (en) * | 2018-09-28 | 2019-02-22 | 杭州电子科技大学 | The Web intrusion detection method separated based on semantic recodification with feature space |
| KR101964412B1 (en) * | 2018-12-12 | 2019-04-01 | 주식회사 모비젠 | Method for diagnosing anomaly log of mobile commmunication data processing system and system thereof |
| WO2019134334A1 (en) * | 2018-01-04 | 2019-07-11 | 平安科技(深圳)有限公司 | Network abnormal data detection method and apparatus, computer device and storage medium |
-
2019
- 2019-07-17 CN CN201910646714.2A patent/CN112241358A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105245506A (en) * | 2015-09-23 | 2016-01-13 | 上海云盾信息技术有限公司 | Network attack defense method and equipment |
| CN106790292A (en) * | 2017-03-13 | 2017-05-31 | 摩贝(上海)生物科技有限公司 | The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis |
| WO2019134334A1 (en) * | 2018-01-04 | 2019-07-11 | 平安科技(深圳)有限公司 | Network abnormal data detection method and apparatus, computer device and storage medium |
| CN109376531A (en) * | 2018-09-28 | 2019-02-22 | 杭州电子科技大学 | The Web intrusion detection method separated based on semantic recodification with feature space |
| KR101964412B1 (en) * | 2018-12-12 | 2019-04-01 | 주식회사 모비젠 | Method for diagnosing anomaly log of mobile commmunication data processing system and system thereof |
Non-Patent Citations (2)
| Title |
|---|
| 张海春等: "一种智能入侵检测系统设计与模拟实现", 《数学的实践与认识》, vol. 39, no. 06, pages 162 - 169 * |
| 陈万志等: "结合白名单过滤和神经网络的工业控制网络入侵检测方法", 《计算机应用》, vol. 38, no. 02, pages 363 - 369 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11188650B2 (en) | Detection of malware using feature hashing | |
| CN108446559B (en) | APT organization identification method and device | |
| CN110135157B (en) | Malicious software homology analysis method and system, electronic device and storage medium | |
| CN112866023B (en) | Network detection method, model training method, device, equipment and storage medium | |
| US11025649B1 (en) | Systems and methods for malware classification | |
| CN109271782B (en) | Method, medium, system and computing device for detecting attack behavior | |
| US11580222B2 (en) | Automated malware analysis that automatically clusters sandbox reports of similar malware samples | |
| CN113360912A (en) | Malicious software detection method, device, equipment and storage medium | |
| CN109886016B (en) | Method, apparatus, and computer-readable storage medium for detecting abnormal data | |
| CN112468487B (en) | Method and device for realizing model training and method and device for realizing node detection | |
| CN111988341A (en) | Data processing method, device, computer system and storage medium | |
| CN114760106A (en) | Network attack determination method, system, electronic device and storage medium | |
| CN110618854B (en) | Virtual machine behavior analysis system based on deep learning and memory mirror image analysis | |
| CN114024761A (en) | Network threat data detection method and device, storage medium and electronic equipment | |
| Suhuan et al. | Android malware detection based on logistic regression and XGBoost | |
| US11321453B2 (en) | Method and system for detecting and classifying malware based on families | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| CN116032595A (en) | General type malicious sample classification method, device, medium and equipment | |
| US11941115B2 (en) | Automatic vulnerability detection based on clustering of applications with similar structures and data flows | |
| CN112241358A (en) | Method and system for determining WEB application 0day bug | |
| CN115643044A (en) | Data processing method, device, server and storage medium | |
| Alohali et al. | Optimal Deep Learning Based Ransomware Detection and Classification in the Internet of Things Environment. | |
| CN111581640A (en) | Malicious software detection method, device and equipment and storage medium | |
| KR102471731B1 (en) | A method of managing network security for users | |
| CN115809466B (en) | Security requirement generation method and device based on STRIDE model, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |