CN112367338A - Malicious request detection method and device - Google Patents

Abstract

The embodiment of the application provides a malicious request detection method and device. The malicious request detection method comprises the following steps: acquiring a request data set, wherein the request data set comprises a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client; performing feature dimension reduction processing on the plurality of illegal requests to obtain processed features; clustering the illegal requests based on the processed characteristics to obtain a plurality of clustering results; and determining illegal requests contained in target clustering results in the clustering results as malicious requests, wherein the target clustering results are the clustering results with the largest number of illegal requests contained in the clustering results. According to the technical scheme of the embodiment of the application, the active detection on the malicious request is realized, and the safety of user information and data is improved.

Description

Malicious request detection method and device

Technical Field

The present application relates to the field of computer and communication technologies, and in particular, to a malicious request detection method and apparatus.

Background

With the rapid development of the internet, malicious attacks on the network have become a non-negligible problem in the industry, such as malicious requests. In order to solve the problem brought to a server and/or a user by a malicious request, at present, a gateway is mainly used for signing and authenticating the access request, whether a signature is valid or not is verified a priori when the gateway receives the access request, the access request with an invalid signature is rejected, and in addition, the malicious request can be detected by adopting a detection technology.

However, the signature authentication method of the existing gateway cannot completely stop the occurrence of malicious requests, and the malicious request detection technology also has the defects of detection delay and the like, so that it is difficult to achieve true malicious request prevention.

Disclosure of Invention

The embodiment of the application provides a malicious request detection method and device, so that the active detection of a gateway on a malicious request is realized at least to a certain extent, the normal operation of the gateway is ensured, and the safety of user information and data is improved.

Other features and advantages of the present application will be apparent from the following detailed description, or may be learned by practice of the application.

According to an aspect of an embodiment of the present application, there is provided a malicious request detection method, including: acquiring a request data set, wherein the request data set comprises a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client; performing feature dimension reduction processing on the plurality of illegal requests to obtain processed features; clustering the illegal requests based on the processed characteristics to obtain a plurality of clustering results; and determining illegal requests contained in target clustering results in the clustering results as malicious requests, wherein the target clustering results are the clustering results with the largest number of illegal requests contained in the clustering results.

According to an aspect of an embodiment of the present application, there is provided a malicious request detection apparatus, including: the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is configured to acquire a request data set, the request data set contains a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client; the feature dimension reduction processing unit is configured to perform feature dimension reduction processing on the plurality of illegal requests to obtain processed features; the clustering processing unit is configured to perform clustering processing on the illegal requests based on the processed characteristics to obtain a plurality of clustering results; a first determining unit, configured to determine, as a malicious request, an illegal request included in a target clustering result of the multiple clustering results, where the target clustering result is a clustering result with a largest number of illegal requests included in the multiple clustering results.

In some embodiments of the present application, based on the foregoing solution, the feature dimension reduction processing unit is configured to: inputting the plurality of illegal requests into a feature dimension reduction model to obtain processed features output by the feature dimension reduction model, wherein the feature dimension reduction model is obtained through model training; wherein the model training process comprises: inputting a training sample containing an illegal request into a preset network model, wherein the preset network model comprises an input layer, a plurality of hidden layers and an output layer, the input layer contains a coding function, and the output layer contains a decoding function; aiming at the training sample, coding through the coding function, carrying out feature extraction step by step through the plurality of hidden layers, decoding through the decoding function, and outputting to obtain a reconstructed sample; and training parameters in the coding function and the decoding function according to the reconstruction errors of the reconstruction samples and the training samples to obtain the feature dimension reduction model.

In some embodiments of the present application, based on the foregoing scheme, the clustering processing unit is configured to: mapping the processed features from a first dimension space to a second dimension space to obtain mapped features, wherein the first dimension space is a dimension space where the processed features are located, and the dimension of the first dimension space is lower than that of the second dimension space; and carrying out division processing on the illegal requests based on the mapped features to obtain a plurality of division results, and mapping the division results from the second dimension space to the first dimension space to obtain a plurality of clustering results.

In some embodiments of the present application, based on the foregoing solution, the feature dimension reduction processing unit is configured to: determining whether expired illegal requests exist in the request data set according to valid time information corresponding to each illegal request; and if the expired illegal request exists, deleting the expired illegal request from the request data set to obtain a new request data set, and performing feature dimension reduction processing on the illegal request contained in the new request data set.

In some embodiments of the present application, based on the foregoing solution, the apparatus further includes: the verification checking unit is configured to verify a source address of the access request of the client and check parameters carried by the access request; and the signature authentication unit is configured to perform signature authentication on the access request if the access request passes source address verification and parameter check.

In some embodiments of the present application, based on the foregoing solution, the apparatus further includes: the second acquisition unit is configured to acquire a malicious source address set, wherein the malicious source address set comprises a plurality of malicious source addresses, and each malicious source address has valid time information; a second determining unit, configured to determine that the access request passes source address verification if a target malicious source address identical to the source address of the access request does not exist in the malicious source address set, or if a target malicious source address identical to the source address of the access request exists in the malicious request source address set but the target malicious source address exceeds valid time information.

In some embodiments of the present application, based on the foregoing solution, the apparatus further includes: and the third determining unit is configured to determine that the access request passes the parameter check if the access request carries a timestamp, a random number and an authorized account, and the timestamp difference between the current timestamp and the timestamp is determined to be within a preset timestamp difference range according to the timestamp.

In some embodiments of the present application, based on the foregoing solution, the apparatus further includes: the arrangement unit is configured to sequentially arrange parameter names of other parameters except for the signature carried by the access request of the client and parameter values corresponding to the parameter names to generate a first character string; the adding unit is configured to add a target interface address corresponding to the access request to the head of the first character string to generate a second character string, and perform hash calculation on the second character string to obtain an operation signature of the access request; and the fourth determining unit is configured to determine that the access request is not authenticated by the signature if the operation signature of the access request is inconsistent with the signature carried by the access request.

In some embodiments of the present application, based on the foregoing solution, the apparatus further includes: and the forwarding unit is configured to forward the access request to a server corresponding to the target interface so that the server responds to the access request if the access request is determined to pass the signature authentication and the access frequency of the target interface corresponding to the access request does not reach a preset upper limit.

According to an aspect of embodiments of the present application, there is provided a computer-readable medium on which a computer program is stored, which, when executed by a processor, implements the malicious request detection method as described in the above embodiments.

According to an aspect of an embodiment of the present application, there is provided an electronic device including: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the malicious request detection method as described in the above embodiments.

According to an aspect of embodiments herein, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the malicious request detection method provided in the various alternative embodiments described above.

In the technical solutions provided in some embodiments of the present application, a request that fails signature authentication in an access request of a client is used as an illegal request, a request data set including a plurality of illegal requests is obtained, then feature dimensionality reduction and clustering are performed on the plurality of illegal requests to obtain a plurality of clustering results, and finally, a target clustering result including the largest number of illegal requests is determined from the plurality of clustering results, and the illegal request included in the target clustering result is determined as a malicious request. According to the technical scheme, the gateway service actively detects the malicious request, the client can be prevented from trying to crack or bypass the signature authentication of the gateway service through means such as violent enumeration, the limitation of the signature authentication of the gateway service is broken through, the normal operation of the gateway service is guaranteed, and the safety of user information and data is improved. Meanwhile, the detection process of the malicious request does not depend on a pre-trained algorithm model, and a related processing algorithm is dynamically used in the detection process, so that the detection capability of the sudden new type of malicious request is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application. It is obvious that the drawings in the following description are only some embodiments of the application, and that for a person skilled in the art, other drawings can be derived from them without inventive effort. In the drawings:

FIG. 1 is a diagram illustrating an exemplary system architecture to which aspects of embodiments of the present application may be applied;

FIG. 2 illustrates a flow diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 3 shows a flow diagram of a model training method according to an embodiment of the present application;

FIG. 4 shows a schematic diagram of a noise-reducing self-encoder according to an embodiment of the present application;

FIG. 5 shows a flow diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 6 shows a flow diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 7 illustrates a flow diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 8 illustrates a returned result diagram for a legitimate request, according to one embodiment of the present application;

FIG. 9 illustrates a returned result diagram for a malicious request according to an embodiment of the present application;

FIG. 10 shows a flow diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 11 illustrates a logic diagram of a malicious request detection method according to one embodiment of the present application;

FIG. 12 shows a block diagram of a malicious request detection apparatus according to an embodiment of the present application;

FIG. 13 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the subject matter of the present application can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, devices, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the application.

It is to be noted that the terms used in the specification and claims of the present application and the above-described drawings are only for describing the embodiments and are not intended to limit the scope of the present application. It will be understood that the terms "comprises," "comprising," "includes," "including," "has," "having," and the like, when used herein, specify the presence of stated features, integers, steps, operations, elements, components, and/or groups thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.

It will be further understood that, although the terms first, second, third, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first element could be termed a second element without departing from the scope of the present invention. Similarly, a second element may be termed a first element. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.

The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.

The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.

It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more.

Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.

Gateway (Gateway): the server is a server for forwarding communication data of other servers, and when receiving a request sent from a client, the server processes the request as if the server had a resource. Sometimes, the client may not be aware that its communication target is a gateway. The use of a gateway can improve the security of the communication, since encryption can be performed on the communication line between the client and the gateway to secure the connection.

At present, a gateway generally detects and discovers a malicious access request through an authentication and authorization manner, and an open authentication and authorization manner in the gateway is to perform signature authentication on the access request through a group of authorization accounts and authorization keys. The general process is as follows:

(1) when initiating an access request, a client adds an authorization account into a request parameter, signs the request parameter according to an authorization key, adds the signature into the parameter and initiates the access request;

(2) and when receiving the access request, the gateway searches a corresponding authorization key according to the authorization account in the request parameter, and authenticates the validity of the signature in the parameter by repeating the signature algorithm of the client.

Under the condition that the related authorization key is not obtained, the specific signature algorithm can ensure that the possibility of obtaining a valid signature by collision is extremely low through means such as violent enumeration and the like by a third party. However, a large number of requests initiated by a third party still have a very small probability of being collided to obtain a valid signature, so that malicious requests are forged, and user information and data which are not authorized to be accessed are obtained. Meanwhile, a large number of requests initiated by a third party may affect the normal operation of the gateway, causing problems of increased service load, slow response speed and the like.

In addition, in order to detect and find malicious requests, the related art prepares a large amount of training set and verification set data through means of machine learning and the like, and builds and trains a specific algorithm model in advance. After the training of the algorithm model is completed, actual request data is input to the algorithm model, and therefore a judgment result of the algorithm model for the malicious request is output.

However, the above technical solutions have the following disadvantages:

on one hand, the core of the open authentication and authorization method is to authenticate the validity of the signature. If there is a malicious request that successfully matches the signature of the access request by way of a brute force collision or enumeration traversal, the malicious request will be able to accidentally access some sensitive data. Although the possibility of accidentally matching signatures is reduced as much as possible by introducing a timestamp, a random number, a more complex signature algorithm, and the like, the gateway should have a more active manner and be able to discover and report malicious requests in time.

On the other hand, the technical scheme of pre-constructing and training a specific algorithm model requires that the specific algorithm model is trained and completed in advance. Thus, this approach may not be able to adjust model parameters in real-time and may not be able to detect and distinguish new types of malicious requests well. Every time a new type of malicious request appears, researchers need to rearrange the data set and train the model again, so that the detection of the new type of malicious request is delayed, and the safety of user information and data is not ensured. Meanwhile, the arrangement of the data set and the training of the model rely on a large amount of manual operation, which is not beneficial to the construction of automatic gateway service.

In view of the above, an embodiment of the present application provides a malicious request detection method, which includes obtaining a request data set including a plurality of illegal requests, where the illegal requests are requests that do not pass signature authentication in an access request of a client, and then performing feature dimension reduction processing on the plurality of illegal requests to obtain processed features; further clustering the illegal requests based on the processed characteristics to obtain a plurality of clustering results; and finally, determining a target clustering result containing the largest number of illegal requests from the plurality of clustering results, and determining the illegal requests contained in the target clustering result as malicious requests.

According to the technical scheme, the gateway actively detects the malicious request, the client can be prevented from trying to crack or bypass the signature authentication of the gateway through means such as violent enumeration, the limitation of the signature authentication of the gateway is broken through, the normal operation of the gateway is guaranteed, and the safety of user information and data is improved. Meanwhile, the detection process of the malicious request does not depend on a pre-trained algorithm model, and a related processing algorithm is dynamically used in the detection process, so that the detection capability of the sudden new type of malicious request is improved.

Fig. 1 shows a schematic diagram of an exemplary system architecture to which the technical solution of the embodiments of the present application can be applied.

As shown in fig. 1, the system architecture 100 may include one or more of terminal devices 101, 102, 103, a gateway 104, and a server 105. The terminal devices 101, 102, 103 run one or more third party applications, such as office applications or internet social applications, etc. A visitor (i.e. a user) may send an access request to the gateway 104 via the terminal devices 101, 102, 103; gateway 104 may receive an access request from an accessor, perform signature authentication on the access request, and form a request data set by using the access request that fails the signature authentication as an illegal request.

In one embodiment, the terminal devices 101, 102, and 103 in the embodiment of the present application include, but are not limited to, a Personal computer, an intelligent mobile terminal (e.g., a mobile phone, a mobile computer, and a tablet), a Personal Digital Assistant (PDA), a smart television, a smart watch, smart glasses, and a smart bracelet. The terminal devices 101, 102, and 103 have a third-party application installed and run, that is, a Client (Client) installed and run, where the Client is a program that corresponds to the server and provides a local service for the user. Here, the local service may include, but is not limited to: human-computer interaction services, local data collection and maintenance services, communication services between local and server, etc. The client may include: locally running applications, functions running on a Web browser (also known as Web apps)), applets embedded in emails, applets embedded in instant messaging client software (e.g., WeChat), and functions embedded in other applications (e.g., WeChat) (e.g., public service account numbers), and the like. For the client, a corresponding server-side program needs to be run on the server to provide corresponding services, such as database services, data calculation, decision execution, and the like.

In one embodiment, the server 105 in the embodiment of the present application corresponds to a client, and may perform communication connection with the terminal devices 101, 102, and 103 running with the client through the internet to provide a service for a user; and interacts with the gateway 104 and returns response data for access requests of the terminal devices 101, 102, 103 to the gateway 104.

In one embodiment, the gateway 104 in the embodiment of the present application may be a stand-alone device, and may be a router with a routing function, a server with a routing protocol, a proxy server, or the like. And a plurality of devices can be expanded in parallel according to the service requirement.

In one embodiment, the gateway 104 may include a gateway service and a gateway data center. The gateway service can receive access requests sent by visitors through the terminal devices 101, 102 and 103, perform signature authentication on the access requests, store the access requests which do not pass the signature authentication as illegal requests to a gateway data center to form a request data set, the gateway data center can perform feature dimensionality reduction processing on a plurality of illegal requests contained in the request data set, perform clustering processing on the plurality of illegal requests based on processed features to obtain a plurality of clustering results, and finally the gateway data center can detect whether malicious requests exist according to the clustering results, can determine target clustering results containing the largest number of illegal requests in the plurality of clustering results, and determine the illegal requests contained in the target clustering results as malicious requests.

The implementation details of the technical solution of the embodiment of the present application are set forth in detail below:

fig. 2 shows a flowchart of a malicious request detection method according to an embodiment of the present application, which may be performed by a gateway, which may be the gateway 104 shown in fig. 1. Referring to fig. 2, the method includes:

step S210, a request data set is obtained, wherein the request data set comprises a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client;

step S220, performing feature dimension reduction processing on the plurality of illegal requests to obtain processed features;

step S230, clustering the plurality of illegal requests based on the processed characteristics to obtain a plurality of clustering results;

step S240, determining an illegal request included in a target clustering result of the plurality of clustering results as a malicious request, where the target clustering result is a clustering result with the largest number of illegal requests included in the plurality of clustering results.

These steps are described in detail below.

In step S210, a request data set is obtained, where the request data set includes a plurality of illegal requests, and the illegal requests are requests that do not pass signature authentication in the access request of the client.

The execution subject of this embodiment is a gateway, and the gateway may include a gateway service and a gateway data center, and the gateway service may receive an access request of an accessor and perform signature authentication.

Specifically, the visitor may initiate one or more access requests through a client application on the terminal device, where the access requests may be User Datagram Protocol (UDP) requests or Transmission Control Protocol (TCP) requests.

For example, if a visitor wants to access a target website server through a client application, the client application can access the functions and resources of the target website server through an open resource calling application program interface, so that the visitor can initiate an access request based on the client application, and the gateway service receives the access request. The target website server is a server providing website access service, and may be a target of an attacker attacking through an illegal terminal device.

After receiving an access request initiated by an accessor based on a client application, a gateway service performs signature authentication on the access request, wherein the access request comprises a signature parameter, and the process of performing signature authentication on the access request by the gateway service is the process of authenticating the signature parameter contained in the access request.

When the access request of the client side is not authenticated by the signature, the gateway service can determine that the access request is an illegal request, and then the illegal request is stored in the gateway data center. With the illegal requests being stored continuously, the gateway data center can directly obtain a request data set containing a plurality of illegal requests from the local.

In some embodiments, the gateway data center may obtain the request data set at a preset time interval, or of course, may obtain the request data set at a preset rule (e.g., periodically, aperiodically, randomly, in real time, etc.).

In step S220, feature dimension reduction processing is performed on the plurality of illegal requests to obtain processed features.

Due to the characteristics of large request quantity and various features of illegal requests, too many feature dimensions can cause the feature matching to be too complex, and system resources are consumed. Therefore, after acquiring the plurality of illegal requests, the gateway data center needs to perform feature dimension reduction processing on the plurality of illegal requests first.

In some embodiments of the present application, the method for performing feature dimension reduction processing on the illegal requests may be Principal Component Analysis (PCA), Linear Discriminant Analysis (LDA), Local Linear Embedding (LLE), Multidimensional Scaling (MDS), Isometric Mapping (ISOMAP), Local Preserving Projection (LPP), Laplacian Eigenmaps (LE), and the like.

In step S230, the illegal requests are clustered based on the processed features, and a plurality of clustering results are obtained.

Clustering refers to a process of dividing a set of physical or abstract objects into a plurality of classes composed of similar objects; the cluster generated by clustering is a collection of a set of data objects that are similar to objects in the same cluster and distinct from objects in other clusters.

Specifically, in this embodiment, after the feature dimensionality reduction processing is performed to obtain the processed features, the gateway data center may perform clustering processing on the plurality of illegal requests based on the processed features, and cluster the illegal requests having similar features together to obtain a plurality of clustering results.

In some embodiments, the gateway data center may cluster the processed features obtained in the above steps according to a preset distance function by using a K-means Clustering Algorithm (K-means Clustering Algorithm), and obtain a plurality of Clustering results after the Clustering is completed.

The K-means clustering algorithm is a clustering analysis algorithm for iterative solution, and comprises the steps of randomly selecting K objects as initial clustering centers, then calculating the distance between each object and each clustering center, and allocating each object to the closest clustering center, wherein the clustering center and the object allocated to the clustering center represent a cluster; each sample is allocated, and the clustering center of the cluster is recalculated according to the existing object in the cluster; this process will be repeated continuously until a certain termination condition is met, and clustering is stopped to obtain a clustering result.

It is understood that, in addition to the K-means clustering algorithm, the gateway data center may also employ a mean-shift clustering algorithm, a density-space-based clustering algorithm, an expectation-maximization clustering algorithm using a gaussian mixture model, a hierarchical clustering algorithm, etc., and the distance function in the above steps may employ a minkowski distance formula, an included angle cosine similarity formula, an euclidean distance, a manhattan distance, a chebyshev distance, a pearson correlation coefficient, etc. And will not be described in detail herein.

In step S240, the illegal request included in the target clustering result of the plurality of clustering results is determined as a malicious request, and the target clustering result is the clustering result with the largest number of illegal requests included in the plurality of clustering results.

In this embodiment, if a target clustering result exists in the plurality of clustering results and the number of illegal requests included in the target clustering result is the largest, it indicates that the illegal requests included in the target clustering result are malicious requests from the client at a high probability, that is, the illegal requests included in the target clustering result can be determined as malicious requests.

In some embodiments, after the malicious request is determined, the gateway may send an alarm notification of the malicious request to related personnel, so as to introduce subsequent manual intervention operation, which is beneficial to timely finding and dealing with subsequent possible abnormal phenomena.

Based on the technical scheme of the embodiment, the active detection of the gateway on the malicious request is realized, the client can be prevented from trying to break or bypass the signature authentication of the gateway service through means such as violent enumeration and the like, the limitation of the signature authentication of the gateway service is further broken through, the normal operation of the gateway service is ensured, and the safety of user information and data is improved. Meanwhile, the detection process of the malicious request does not depend on a pre-trained algorithm model, and a related processing algorithm is dynamically used in the detection process, so that the detection capability of the sudden new type of malicious request is improved.

In an embodiment of the present application, in order to implement feature dimension reduction processing on a plurality of illegal requests, the plurality of illegal requests may be directly input into a feature dimension reduction model, and then the processed features may be output through the feature dimension reduction model, where the feature dimension reduction model is obtained through model training. As shown in fig. 3, a flowchart of a model training method according to an embodiment of the present application is shown, which may specifically include steps S310 to S330, and the following is now described in detail:

step S310, inputting a training sample containing an illegal request into a preset network model, wherein the preset network model comprises an input layer, a plurality of hidden layers and an output layer, the input layer comprises a coding function, and the output layer comprises a decoding function.

Specifically, before performing model training, a training sample containing an illegal request may be obtained first, and then the training sample for training the model may be input into the preset network model. In this embodiment, the preset network model includes an input layer, a plurality of hidden layers, and an output layer, where the input layer includes an encoding function and the output layer includes a decoding function.

For example, the preset network model in the embodiment of the present application may be a noise reduction auto-encoder (DAE), the noise reduction auto-encoder is a class of auto-encoder that receives damaged data as input and trains to predict original undamaged data as output, and the noise reduction auto-encoder is an unsupervised learning model, and a sample label is not required to be provided in advance, so that dynamic changes of features can be adapted, and essential features that can reflect input data can be learned.

For easy understanding, the construction principle of the noise reduction self-encoder is introduced, as shown in fig. 4, the noise reduction self-encoder firstly erases an original input x with a certain probability q to obtain a damaged input x 'with a lost part of features, then calculates a feature y based on the damaged input x', reconstructs an input z by using the feature y, and finally iteratively calculates a network learning function f and a network learning function g by taking a reconstruction error of the original input x and the reconstructed input z as a learning target.

And S320, aiming at the training sample, coding through the coding function, carrying out feature extraction step by step through the plurality of hidden layers, decoding through the decoding function, and outputting to obtain a reconstructed sample.

Specifically, in this embodiment, the original input x of the noise reduction self-encoder may be a training sample including an illegal request, the network learning function f may be a coding function, and the network learning function g may be a decoding function, so that, for the training sample, feature erasure, coding of the coding function, step-by-step feature extraction of multiple hidden layers, and decoding of the decoding function may be performed, and finally, a reconstructed sample is obtained through output.

And S330, training parameters in the coding function and the decoding function according to the reconstruction errors of the reconstruction samples and the training samples to obtain the feature dimension reduction model.

After the reconstructed sample is obtained through output, further, the reconstructed sample obtained in step S320 is compared with the training sample obtained in step S310, a reconstruction error between the reconstructed sample and the training sample is calculated, so that the reconstruction error between the reconstructed sample and the training sample is minimized, and parameters in the coding function and the decoding function are trained according to the minimum reconstruction error, so as to obtain the feature dimension reduction model.

In an embodiment of the present application, as shown in fig. 5, step S230 may specifically include step S510 to step S520, which are described in detail as follows:

step S510, mapping the processed feature from a first dimension space to a second dimension space to obtain a mapped feature, where the first dimension space is a dimension space where the processed feature is located, and a dimension of the first dimension space is lower than a dimension of the second dimension space.

In this embodiment, to implement clustering, first, the processed features may be subjected to dimension space transformation, and the processed features are mapped from the first dimension space where the processed features are located to the second dimension space, where the dimension of the first dimension space is lower than that of the second dimension space, that is, the processed features are mapped from the low dimension space to the high dimension space.

Step S520, performing partition processing on the plurality of illegal requests based on the mapped features to obtain a plurality of partition results, and mapping the plurality of partition results from the second dimension space to the first dimension space to obtain the plurality of clustering results.

After obtaining the mapped features in the second dimension space through step S510, the illegal requests may be divided based on the mapped features to obtain a plurality of division results, and the plurality of division results are mapped from the second dimension space to the first dimension space to obtain a plurality of clustering results.

In some embodiments, the multiple illegal requests may be partitioned in the second dimension using a hyperplane in a Support Vector Machines (SVM).

Here, briefly describing the hyperplane, the linear subspace where the remaining dimension is equal to one in the n-dimensional euclidean space of the hyperplane, i.e., must be the (n-1) dimension. In other words, in a geometric body, a hyperplane is a subspace that is one-dimensional smaller than its environmental space. If the space is three-dimensional, its hyperplane is a two-dimensional plane. If the space is two-dimensional, its hyperplane is a one-dimensional straight line.

The hyperplane is used for dividing and classifying, and divides the space into three parts, namely the hyperplane, the upper part of the hyperplane and the lower part of the hyperplane. For example, for a two-dimensional space, the hyperplane is a one-dimensional straight line, where the hyperplane itself equation is defined as wx + b being 0, then the upper part wx + b >0 of the hyperplane and the lower part wx + b <0 of the hyperplane. And substituting the value of x to calculate wx + b, and knowing which type the current x belongs to according to the relation with 0.

In an embodiment of the present application, when the gateway data center performs feature dimension reduction on a plurality of illegal requests, in order to avoid that a processing speed of the gateway data center may become slow due to a large number of illegal requests, the gateway data center may delete an expired illegal request to obtain a new request data set, and then perform feature dimension reduction on an illegal request included in the new request data set, in this embodiment, step S220 may specifically include the following steps:

determining whether expired illegal requests exist in the request data set according to valid time information corresponding to each illegal request; and if the expired illegal request exists, deleting the expired illegal request from the request data set to obtain a new request data set, and performing feature dimension reduction processing on the illegal request contained in the new request data set.

Specifically, the gateway data center may set a data retention time length, obtain valid time information corresponding to each illegal request according to the data retention time length and an adding time of the illegal request added to the request data set, and determine whether an expired illegal request exists in the request data set according to the valid time information corresponding to each illegal request.

For example, the data retention time set by the gateway data center is 24 hours, and the time for adding the illegal request a in the request data set to the request data set is 2020.10.0512: 00:00, so that the valid time information corresponding to the illegal request a can be determined to be 2020.10.0512: 00:00 to 2020.10.0612:00: 00. If the gateway data center obtains the request data set at 2020.10.077: 00:00 to perform feature dimension reduction processing, the illegal request A in the request data set is determined to be an expired illegal request, and can be directly deleted.

According to the embodiment, the expired illegal requests are quickly deleted according to the valid time information corresponding to each illegal request, so that the gateway data center can maintain a reasonable data set size, and the influence of expansion of the data set on the processing speed of the gateway data center is avoided.

In an embodiment of the present application, after receiving an access request from a client, a gateway service may perform source address verification and parameter check on the access request before performing signature authentication on the access request, as shown in fig. 6, which may specifically include steps S610 to S620, and the following is described in detail:

step S610, verifying the source address of the access request of the client, and checking the parameters carried by the access request.

In the foregoing step, the source address of the access request refers to an Internet Protocol (IP) address of the terminal device that sent the access request, and after receiving the access request, the gateway service may check the source address of the access request, for example, may check whether the IP address of the terminal device is a malicious source address, and if so, it indicates that the access request originating from the IP address of the terminal device is a malicious request. It should be noted that the source address of the access request is an attribute assigned by the network service provider that cannot be modified by the terminal device, so that the gateway service can rely on the reliability and validity of the source address.

In an embodiment of the present application, the process of verifying the source address of the access request by the gateway service may specifically include the following steps:

the method comprises the steps of obtaining a malicious source address set, wherein the malicious source address set comprises a plurality of malicious source addresses, and each malicious source address has effective time information;

if the target malicious source address which is the same as the source address of the access request does not exist in the malicious source address set, or the target malicious source address which is the same as the source address of the access request exists in the malicious request source address set but exceeds valid time information, it is determined that the access request passes source address verification.

In this embodiment, the gateway service may obtain the malicious source address set, and check the source address of the access request according to a plurality of malicious source addresses included in the malicious source address set. In some embodiments, the gateway service may obtain the malicious source address set from the gateway data center, and after detecting the malicious request, the gateway data center may store the source address of the terminal device that sent the malicious request, thereby obtaining the malicious source address set.

When the gateway service subsequently receives the access request, the gateway service can directly acquire the malicious source address set from the gateway data center, and judge whether the source address of the terminal device corresponding to the access request is in the malicious source address set according to the malicious source address set, so that the efficiency of verifying the source address of the access request is improved.

Considering that a malicious attacker may send a malicious request by using a public network address, a case that a source address of the malicious request is a public network address where a normal user is located may occur, and it is obviously not favorable for a legitimate terminal device to access by using the public network address as the malicious source address all the time. Therefore, in the present embodiment, each malicious source address included in the set of malicious source addresses has valid time information, that is, each malicious source address in the set of malicious source addresses is not always regarded as a malicious source address.

Thus, if the gateway service determines that a target malicious source address identical to the source address of the access request does not exist in the set of malicious source addresses, or the gateway service determines that a target malicious source address identical to the source address of the access request exists in the set of malicious source addresses, but the target malicious source address exceeds the validity time information, the gateway service may determine that the access request passes the source address check.

After determining that the access request passes the source address check, the gateway service may also check a parameter carried by the access request, it being understood that the access request may carry a series of parameters, such as a timestamp, a random number, a signature, and so on. After receiving the access request, the gateway service may check a series of parameters carried in the access request, for example, check whether the access request lacks related parameters, or whether the parameters are correct, or the like.

In an embodiment of the present application, the checking of the parameter carried by the access request may be checking a timestamp, a random number, and an authorized account, and in this embodiment, the checking specifically may include: and if the access request carries a timestamp, a random number and an authorized account, and the timestamp difference between the current timestamp and the timestamp is determined to be within a preset timestamp difference range according to the timestamp, determining that the access request passes parameter check.

First, it should be noted that both the timestamp and the random number are generated when the terminal device sends an access request, and identify the relevant information of the access request this time. And when the terminal equipment accesses the gateway service, the authorization account and the authorization key are distributed to the terminal equipment by the gateway service and are simultaneously stored in the terminal equipment and the gateway service. No third party has an authorization key, except for the terminal device and the gateway service. The timestamp, random number, and authorization account are parameters that must be carried by the access request.

If the result of the check performed by the gateway service on the parameter carried by the access request is that the access request does not lack the parameter that must be carried, the gateway service may further determine the parameter, specifically, determine whether a timestamp difference between the current timestamp and a timestamp carried by the access request is within a preset timestamp difference range. The current timestamp refers to server timestamp information maintained by the gateway service when the gateway service receives the access request. If the judgment result of the timestamp is that the timestamp difference is within the preset timestamp difference range, the access request can be determined to pass the parameter check.

On the contrary, if the gateway service checks that the access request lacks any one of the parameters of the timestamp, the random number and the authorized account, or the access request does not lack the parameter which must be carried, but the judgment result of the timestamp indicates that the timestamp difference is not within the preset timestamp difference range, the gateway service can directly reject the access request.

And step S620, if the access request passes source address verification and parameter check, performing signature authentication on the access request.

If the gateway service verifies the source address of the access request, that is, the access request passes the source address verification, and the gateway service checks the parameters carried by the access request, that is, the access request passes the parameter check, the gateway service can further perform signature authentication on the access request.

Based on the technical solution of the foregoing embodiment, in an embodiment of the present application, as shown in fig. 7, a process of performing signature authentication on an access request may include steps S710 to S730, which is specifically described as follows:

step S710, sequentially arranging parameter names of other parameters carried in the access request of the client, except for the signature, and parameter values corresponding to the parameter names to generate a first character string.

Specifically, the access request of the client may carry a series of parameters, in this embodiment, the parameter names of the other parameters except the signature and the parameter values corresponding to the parameter names may be sequentially arranged to generate the first character string, and specifically, the gateway service may sequentially arrange the parameter names of the other parameters and the parameter values corresponding to the parameter names in an order of "name 1 ═ value 1& name 2 ═ value 2".

Schematically, as shown in fig. 8 and 9, a parameter name (KEY) and a parameter VALUE (VALUE) corresponding to the parameter name that may be carried in the access request are shown in both a rectangular box a1 and a rectangular box B1, and as can be seen from fig. 8 and 9, the parameter name includes a random number (nonce), an authorized account (secret), a signature method (signature), a timestamp (timestamp), a signature (signature), and business logic parameters (expire, m _ int, and m _ string), and parameter VALUEs corresponding to the respective parameter names.

Step S720, adding the target interface address corresponding to the access request to the head of the first character string to generate a second character string, and performing hash calculation on the second character string to obtain an operation signature of the access request.

After generating the first string, the target interface address corresponding to the access request may be added to the head of the first string to generate a second string. The gateway service is provided with a plurality of interfaces, the interfaces are opened to the terminal equipment, each interface corresponds to an interface address, and the terminal equipment can call a target interface corresponding to the target interface address by triggering the target interface address to generate an access request.

Further, after generating the second character string, the gateway service may perform hash calculation on the second character string using the authorization key corresponding to the authorization account to obtain the operation signature of the access request. In one embodiment, the gateway service may Hash the second string using an HMAC-SHA256 Algorithm, wherein the HMAC-SHA256 Algorithm is a Hash-based Message Authentication Code (HMAC) Algorithm that uses a Secure Hash Algorithm 256 (SHA-256) to generate a Hash value, and the HMAC-SHA256 Algorithm is not described in detail herein.

Step S730, if the operation signature of the access request is not consistent with the signature carried by the access request, determining that the access request fails the signature authentication.

In this embodiment, signature authentication is performed on the access request by determining whether the operation signature of the access request is consistent with the signature carried by the access request. If the two are not consistent, the access request can be determined not to pass the signature authentication, and then the access request can be determined to be an illegal request, and if the two are consistent, the access request can be determined to pass the signature authentication, and then the access request can be determined to be a legal request.

When the access request of the client is determined to be an illegal request, whether the illegal request is a malicious request can be further detected according to the methods of steps S210 to S240 in the present application. The return results of the gateway service for the legal request and the malicious request are different, a rectangular box a2 in fig. 8 shows the return result of the gateway service for the legal request, a rectangular box B2 in fig. 9 shows the return result of the gateway service for the malicious request, and from the comparison between a rectangular box a2 and a rectangular box B2, for the legal request, the gateway service returns a normal response of the service logic, and the service logic returns a response after simply processing the parameters m _ int and m _ string; for malicious requests, the gateway service does not forward the request to subsequent business logic, intercepts the request and directly returns an error prompt as a response result, wherein the gateway service returns the error prompt that the access request is not allowed (request is not allowed).

In an embodiment of the application, if the access request passes the signature authentication, it indicates that the access request is a legal request, and the legal request can be responded by the server, so that the gateway service may further determine whether the access frequency of the target interface corresponding to the access request reaches a preset upper limit, and if not, the gateway service may forward the access request to the server corresponding to the target interface, so that the server responds to the access request.

It should be noted that the gateway service may preset an upper limit of the access frequency of the interface, so as to protect the request load of the server, and therefore, only when the access frequency of the target interface corresponding to the access request does not reach the preset upper limit, the gateway service may forward the access request to the server corresponding to the target interface. Further, it should be noted that a plurality of interfaces are set in the gateway service, and a mapping relationship between the interfaces and the service logic server is pre-established, so that the gateway service can perform routing forwarding on the access request according to the mapping relationship between the interfaces and the service logic server.

In an embodiment of the present application, the gateway service needs to determine whether the access frequency of the target interface corresponding to the access request reaches a preset upper limit, and further determines whether the access request is a high-frequency access request in a unit time, if so, the access request may be directly rejected, and if not, the access request may be forwarded according to a mapping relationship between the interface and the server. The gateway service can use the access request with the access frequency exceeding the preset threshold in the unit time as the access request with high frequency.

Fig. 10 shows a flowchart of a malicious request detection method according to an embodiment of the present application, where the malicious request detection method may be performed by a gateway, and the gateway may provide a gateway service and a gateway data center, as shown in fig. 10, the malicious request detection method in this embodiment may include the following steps:

step S1010, the gateway service receives an access request sent by a client;

step S1020, the gateway service verifies the source address of the access request, and if the source address passes the verification, step S1030 is executed; if the source address is not verified, the access request is refused;

step S1030, the gateway service checks the parameters carried by the access request, and if the parameters pass the check, the step S1040 is executed; if the parameter check fails, the access request is refused;

step S1040, the gateway service carries out signature authentication on the access request, and if the signature authentication passes, step S1090 is executed; if the signature authentication is not passed, executing step S1050 and rejecting the access request;

step 1050, the gateway data center receives an access request (i.e. an illegal request) which is reported by the gateway service and fails to pass signature authentication, and forms a request data set;

step 1060, the gateway data center performs feature dimension reduction processing on the plurality of illegal requests contained in the request data set to obtain processed features;

step S1070, the gateway data center carries out clustering processing on the plurality of illegal requests based on the processed characteristics to obtain a plurality of clustering results;

step 1080, the gateway data center determines the illegal requests contained in the clustering results with the largest number of illegal requests contained in the clustering results as malicious requests.

In some embodiments, after determining the malicious request, the gateway data center may store a source address of the malicious request to form a malicious source address set, and after subsequently receiving an access request, the gateway service may directly obtain the malicious source address set from the gateway data center, and perform source address verification on the received access request according to the malicious source address set.

In some embodiments, after determining the malicious request, the gateway data center may further send an alarm notification of the malicious request to related personnel, so as to introduce subsequent manual intervention operation, thereby facilitating timely discovery and coping with subsequent abnormal phenomena that may occur.

And step S1090, judging whether the access frequency of the target interface corresponding to the access request reaches a preset upper limit, if so, rejecting the access request, and if not, forwarding the access request to the server.

Fig. 11 shows a logic diagram of a malicious request detection method according to an embodiment of the present application, and as shown in fig. 11, in this embodiment, the malicious request detection method may specifically include the following steps:

s1, obtaining a request data set, wherein the request data set comprises a plurality of illegal requests.

S2, performing feature dimension reduction processing on the illegal requests to obtain processed features;

s3, clustering the illegal requests based on the processed characteristics;

it should be noted that the solid line square and the solid line circle in the rectangular box C1 represent two different types of division results obtained after the second-dimensional space division processing, respectively, where a straight line between the solid line square and the solid line circle is a hyperplane. The dotted line square and the dotted line circle in the rectangular box C1 represent two different types of clustering results obtained after mapping the partition result of the second dimension space to the first dimension space, respectively.

And S4, determining the illegal request contained in the clustering result with the largest number of illegal requests in the plurality of clustering results as the malicious request.

It should be noted that steps S1 to S4 are similar to steps S210 to S240, respectively, and reference may be made to the embodiments of the malicious request detection method in the foregoing steps in the present application, so that details are not described herein again.

The following describes embodiments of an apparatus of the present application, which may be used to perform the malicious request detection method in the foregoing embodiments of the present application. For details that are not disclosed in the embodiments of the apparatus of the present application, please refer to the embodiments of the malicious request detection method described above.

Fig. 12 is a block diagram of a malicious request detection apparatus according to an embodiment of the present application, and referring to fig. 12, a malicious request detection apparatus 1200 according to an embodiment of the present application includes: a first obtaining unit 1202, a feature dimension reduction processing unit 1204, a clustering processing unit 1206, and a first determining unit 1208.

The first obtaining unit 1202 is configured to obtain a request data set, where the request data set includes a plurality of illegal requests, and the illegal requests are requests that do not pass signature authentication in access requests of a client; the feature dimension reduction processing unit 1204 is configured to perform feature dimension reduction processing on the plurality of illegal requests to obtain processed features; the clustering unit 1206 is configured to perform clustering processing on the plurality of illegal requests based on the processed features to obtain a plurality of clustering results; the first determining unit 1208 is configured to determine an illegal request included in a target clustering result of the multiple clustering results as a malicious request, where the target clustering result is a clustering result with the largest number of illegal requests included in the multiple clustering results.

In some embodiments of the present application, the feature dimension reduction processing unit 1204 is configured to: inputting the plurality of illegal requests into a feature dimension reduction model to obtain processed features output by the feature dimension reduction model, wherein the feature dimension reduction model is obtained through model training; wherein the model training process comprises: inputting a training sample containing an illegal request into a preset network model, wherein the preset network model comprises an input layer, a plurality of hidden layers and an output layer, the input layer contains a coding function, and the output layer contains a decoding function; aiming at the training sample, coding through the coding function, carrying out feature extraction step by step through the plurality of hidden layers, decoding through the decoding function, and outputting to obtain a reconstructed sample; and training parameters in the coding function and the decoding function according to the reconstruction errors of the reconstruction samples and the training samples to obtain the feature dimension reduction model.

In some embodiments of the present application, the cluster processing unit 1206 is configured to: mapping the processed features from a first dimension space to a second dimension space to obtain mapped features, wherein the first dimension space is a dimension space where the processed features are located, and the dimension of the first dimension space is lower than that of the second dimension space; and carrying out division processing on the illegal requests based on the mapped features to obtain a plurality of division results, and mapping the division results from the second dimension space to the first dimension space to obtain a plurality of clustering results.

In some embodiments of the present application, the feature dimension reduction processing unit 1204 is configured to: determining whether expired illegal requests exist in the request data set according to valid time information corresponding to each illegal request; and if the expired illegal request exists, deleting the expired illegal request from the request data set to obtain a new request data set, and performing feature dimension reduction processing on the illegal request contained in the new request data set.

In some embodiments of the present application, the apparatus further comprises: the verification checking unit is configured to verify a source address of the access request of the client and check parameters carried by the access request; and the signature authentication unit is configured to perform signature authentication on the access request if the access request passes source address verification and parameter check.

In some embodiments of the present application, the apparatus further comprises: the second acquisition unit is configured to acquire a malicious source address set, wherein the malicious source address set comprises a plurality of malicious source addresses, and each malicious source address has valid time information; a second determining unit, configured to determine that the access request passes source address verification if a target malicious source address identical to the source address of the access request does not exist in the malicious source address set, or if a target malicious source address identical to the source address of the access request exists in the malicious request source address set but the target malicious source address exceeds valid time information.

In some embodiments of the present application, the apparatus further comprises: and the third determining unit is configured to determine that the access request passes the parameter check if the access request carries a timestamp, a random number and an authorized account, and the timestamp difference between the current timestamp and the timestamp is determined to be within a preset timestamp difference range according to the timestamp.

In some embodiments of the present application, the apparatus further comprises: the arrangement unit is configured to sequentially arrange parameter names of other parameters except for the signature carried by the access request of the client and parameter values corresponding to the parameter names to generate a first character string; the adding unit is configured to add a target interface address corresponding to the access request to the head of the first character string to generate a second character string, and perform hash calculation on the second character string to obtain an operation signature of the access request; and the fourth determining unit is configured to determine that the access request is not authenticated by the signature if the operation signature of the access request is not consistent with the signature parameter of the access request.

In some embodiments of the present application, the apparatus further comprises: and the forwarding unit is configured to forward the access request to a server corresponding to the target interface so that the server responds to the access request if the access request is determined to pass the signature authentication and the access frequency of the target interface corresponding to the access request does not reach a preset upper limit.

FIG. 13 illustrates a schematic structural diagram of a computer system suitable for use in implementing the electronic device of an embodiment of the present application.

It should be noted that the computer system 1300 of the electronic device shown in fig. 13 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.

As shown in fig. 13, a computer system 1300 includes a Central Processing Unit (CPU)1301 that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 1302 or a program loaded from a storage portion 1308 into a Random Access Memory (RAM) 1303. In the RAM 1303, various programs and data necessary for system operation are also stored. The CPU 1301, the ROM 1302, and the RAM 1303 are connected to each other via a bus 1304. An Input/Output (I/O) interface 1305 is also connected to bus 1304.

The following components are connected to the I/O interface 1305: an input portion 1306 including a keyboard, a mouse, and the like; an output section 1307 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, a speaker, and the like; a storage portion 1308 including a hard disk and the like; and a communication section 1309 including a Network interface card such as a LAN (Local Area Network) card, a modem, or the like. The communication section 1309 performs communication processing via a network such as the internet. A drive 1310 is also connected to the I/O interface 1305 as needed. A removable medium 1311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1310 as necessary, so that a computer program read out therefrom is mounted into the storage portion 1308 as necessary.

In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications component 1309 and/or installed from removable media 1311. The computer program executes various functions defined in the system of the present application when executed by a Central Processing Unit (CPU) 1301.

It should be noted that the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a Read-Only Memory (ROM), an Erasable Programmable Read-Only Memory (EPROM), a flash Memory, an optical fiber, a portable Compact Disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with a computer program embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. The computer program embodied on the computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units described in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be disposed in a processor. Wherein the names of the elements do not in some way constitute a limitation on the elements themselves.

As another aspect, the present application also provides a computer-readable medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable medium carries one or more programs which, when executed by an electronic device, cause the electronic device to implement the method described in the above embodiments.

It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the application. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (which can be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which can be a personal computer, a server, a touch terminal, or a network device, etc.) to execute the method according to the embodiments of the present application.

Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the embodiments disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A malicious request detection method, the method comprising:

acquiring a request data set, wherein the request data set comprises a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client;

performing feature dimension reduction processing on the plurality of illegal requests to obtain processed features;

clustering the illegal requests based on the processed characteristics to obtain a plurality of clustering results;

and determining illegal requests contained in target clustering results in the clustering results as malicious requests, wherein the target clustering results are the clustering results with the largest number of illegal requests contained in the clustering results.

2. The method of claim 1, wherein performing feature dimension reduction on the plurality of illegitimate requests to obtain processed features comprises:

inputting the plurality of illegal requests into a feature dimension reduction model to obtain processed features output by the feature dimension reduction model, wherein the feature dimension reduction model is obtained through model training;

wherein the model training process comprises: inputting a training sample containing an illegal request into a preset network model, wherein the preset network model comprises an input layer, a plurality of hidden layers and an output layer, the input layer contains a coding function, and the output layer contains a decoding function;

aiming at the training sample, coding through the coding function, carrying out feature extraction step by step through the plurality of hidden layers, decoding through the decoding function, and outputting to obtain a reconstructed sample;

and training parameters in the coding function and the decoding function according to the reconstruction errors of the reconstruction samples and the training samples to obtain the feature dimension reduction model.

3. The method of claim 1, wherein clustering the plurality of illegitimate requests based on the processed features to obtain a plurality of clustering results comprises:

mapping the processed features from a first dimension space to a second dimension space to obtain mapped features, wherein the first dimension space is a dimension space where the processed features are located, and the dimension of the first dimension space is lower than that of the second dimension space;

and carrying out division processing on the illegal requests based on the mapped features to obtain a plurality of division results, and mapping the division results from the second dimension space to the first dimension space to obtain a plurality of clustering results.

4. The method of claim 1, wherein performing feature dimension reduction on the plurality of illegitimate requests to obtain processed features comprises:

determining whether expired illegal requests exist in the request data set according to valid time information corresponding to each illegal request;

and if the expired illegal request exists, deleting the expired illegal request from the request data set to obtain a new request data set, and performing feature dimension reduction processing on the illegal request contained in the new request data set.

5. The method of claim 1, further comprising:

verifying a source address of an access request of the client, and checking parameters carried by the access request;

and if the access request passes source address verification and parameter check, performing signature authentication on the access request.

6. The method of claim 5, further comprising:

the method comprises the steps of obtaining a malicious source address set, wherein the malicious source address set comprises a plurality of malicious source addresses, and each malicious source address has effective time information;

if the target malicious source address which is the same as the source address of the access request does not exist in the malicious source address set, or the target malicious source address which is the same as the source address of the access request exists in the malicious request source address set but exceeds valid time information, it is determined that the access request passes source address verification.

7. The method of claim 5, further comprising:

and if the access request carries a timestamp, a random number and an authorized account, and the timestamp difference between the current timestamp and the timestamp is determined to be within a preset timestamp difference range according to the timestamp, determining that the access request passes parameter check.

8. The method according to any one of claims 1 to 7, further comprising:

sequentially arranging parameter names of other parameters except the signature carried by the access request of the client and parameter values corresponding to the parameter names to generate a first character string;

adding a target interface address corresponding to the access request to the head of the first character string to generate a second character string, and performing hash calculation on the second character string to obtain an operation signature of the access request;

and if the operation signature of the access request is not consistent with the signature carried by the access request, determining that the access request is not authenticated by the signature.

9. The method of claim 8, further comprising:

and if the access request is determined to pass signature authentication and the access frequency of the target interface corresponding to the access request does not reach a preset upper limit, forwarding the access request to a server corresponding to the target interface so that the server responds to the access request.

10. An apparatus for malicious request detection, the apparatus comprising:

the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is configured to acquire a request data set, the request data set contains a plurality of illegal requests, and the illegal requests are requests which do not pass signature authentication in access requests of a client;

the feature dimension reduction processing unit is configured to perform feature dimension reduction processing on the plurality of illegal requests to obtain processed features;

the clustering processing unit is configured to perform clustering processing on the illegal requests based on the processed characteristics to obtain a plurality of clustering results;

a first determining unit, configured to determine, as a malicious request, an illegal request included in a target clustering result of the multiple clustering results, where the target clustering result is a clustering result with a largest number of illegal requests included in the multiple clustering results.

Images