CN112560021A - Attack detection method and attack detection model - Google Patents
Attack detection method and attack detection model Download PDFInfo
- Publication number
- CN112560021A CN112560021A CN202011350251.4A CN202011350251A CN112560021A CN 112560021 A CN112560021 A CN 112560021A CN 202011350251 A CN202011350251 A CN 202011350251A CN 112560021 A CN112560021 A CN 112560021A
- Authority
- CN
- China
- Prior art keywords
- information
- fingerprint
- svm
- attack
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
- G06N20/10—Machine learning using kernel methods, e.g. support vector machines [SVM]
Abstract
The present specification provides an attack detection method and an attack detection model, the method including: the method comprises the steps of obtaining URL information, decoding the URL information to obtain user original data corresponding to the URL information, obtaining fingerprint information obtained after analyzing the user original data according to a database analysis algorithm, evaluating the fingerprint information by utilizing an SVM risk evaluation model, and judging whether the URL information is attack information or not according to an evaluation result. By the method, the problem that the regular expression method is more and more difficult to meet the current requirement can be solved.
Description
Technical Field
The present disclosure relates to the field of information security, and in particular, to an attack detection method and an attack detection model.
Background
SQLi (Sql Injection) is an Injection attack that can execute malicious Sql statements. By inserting any SQL code into the database for query, an attacker can completely control the database server behind the Web application program. Criminals may utilize it for unauthorized access to sensitive data of users: customer information, personal data, business secrets, intellectual property rights, etc. SQL injection attacks are one of the oldest, most popular, and most dangerous Web application vulnerabilities.
The traditional method for detecting SQL injection depends on a regular expression method, which has the advantages of stability and high maintainability, but the regular expression method has high false alarm and missing report rate, needs frequent rule updating, and is difficult to detect unknown threats. In the face of increasingly complex network security forms, the regular expression method is increasingly difficult to meet the current requirements.
Disclosure of Invention
The embodiment of the specification provides an attack detection method and an attack detection model, and by the method, the problem that the regular expression method is more and more difficult to meet the current requirement can be solved.
An embodiment of the present specification provides an attack detection method, including:
acquiring URL information, decoding the URL information to acquire user original data corresponding to the URL information;
acquiring fingerprint information after analyzing the user original data according to a database analysis algorithm;
and evaluating the fingerprint information by using an SVM risk evaluation model, and judging whether the URL information is attack information according to an evaluation result.
According to the embodiment, risk evaluation is performed on the URL information input by the user through the SVM risk evaluation model, and the problem that the current requirement is more and more difficult to meet through a regular expression method is solved.
In one embodiment, the user raw data comprises: the original character entered by the user.
In an embodiment, the evaluating the fingerprint information by using the SVM risk assessment model specifically includes:
and carrying out one-hot coding on the fingerprint information, and evaluating the coded fingerprint information through an SVM risk evaluation model.
In one embodiment, the method for obtaining the SVM risk assessment model comprises:
and acquiring a plurality of attack samples, training the attack samples, and acquiring an SVM risk evaluation model according to a training result.
In one embodiment, before the evaluating the fingerprint information using the SVM risk assessment model, the method further comprises:
carrying out attack judgment on the fingerprint information by using an attack fingerprint database;
if the fingerprint information is judged not to belong to the attack fingerprint, evaluating the fingerprint information by utilizing an SVM risk evaluation model;
and if the fingerprint information is judged to belong to the attack fingerprint, determining the URL information as attack information.
An embodiment of the present specification further provides an attack detection model, where the model includes: the system comprises a fingerprint acquisition module, an algorithm detection module and a resource module;
decoding the acquired URL information by using the fingerprint acquisition module, acquiring user original data corresponding to the URL information, and acquiring fingerprint information of the user original data according to a database analysis algorithm;
performing risk assessment on the fingerprint information by using a Libinjection fingerprint database and/or an SVM risk assessment model contained in the algorithm detection module;
and storing the library fingerprint database and the SVM risk assessment model by using a resource module.
In one embodiment, the user raw data comprises: the original character entered by the user.
In an embodiment, the evaluating the fingerprint information by using the SVM risk assessment model specifically includes:
and carrying out one-hot coding on the fingerprint information, and evaluating the coded fingerprint information through an SVM risk evaluation model.
In one embodiment, the obtaining of the SVM risk assessment model in the resource module includes obtaining a plurality of attack samples, training the attack samples, and using a training result as the SVM risk assessment model.
In one embodiment, before the fingerprint information is evaluated by using the SVM risk evaluation model, attack judgment is carried out on the fingerprint information by using a Libinision fingerprint database in the resource module;
if the fingerprint information does not belong to the fingerprints in the library fingerprint database, performing the evaluation on the fingerprint information by using an SVM risk evaluation model;
and if the fingerprint information is judged to belong to the fingerprints in the library fingerprint database, determining the URL information as attack information.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present specification and together with the description, serve to explain the principles of the specification.
Fig. 1 is a schematic flowchart of a method for detecting an attack according to an embodiment of the present disclosure;
fig. 2 is a schematic structural diagram of an attack detection model provided in the embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Currently, in the SQL injection detection, detection is mainly performed by a Libinjection algorithm, which is very popular at present as an open source SQL injection and XXS attack lexical analysis library on a GitHub, and is different from a traditional regular expression method, which adopts a perfect feature library to match and check SQL injection. Compared with the traditional regular matching identification SQL injection, the method has the advantages of high speed, low false alarm and low missing report. However, libinjections have obvious disadvantages, that many built-in 8000 attack fingerprints are written in codes as arrays, and that subsequent expansion fingerprints need to modify source codes, and that so-called semantic analysis is actually only a rule matching mode, and cannot really detect unknown threats.
The present specification provides a method for detecting an attack, as shown in fig. 1, the method including:
s101, obtaining URL information, decoding the URL information and obtaining user original data corresponding to the URL information;
s102, acquiring fingerprint information obtained after analyzing the user original data according to a database analysis algorithm;
s103, the fingerprint information is evaluated by using an SVM risk evaluation model, and whether the URL information is attack information or not is judged according to an evaluation result.
It should be noted that: the attacks described in the embodiments of the present specification may include SQL injection attacks.
Generally, a user inputs original data of the user on a website input interface, for example, inputting chinese of a website, or mixing with some extra characters, the system automatically converts the original data of the user data into URL information, and in step S101, in order to perform attack detection, the URL information is restored to the original data of the user by URL decoding.
In step S102, the fingerprint information obtained by analyzing the user raw data by using a database analysis algorithm may specifically include: analyzing the user original data by using a libinjunction database analysis algorithm, and outputting the analyzed fingerprint information, for example, the decoded user original data is as follows: 1 'or 1 is 1, the database analysis algorithm is used for taking the first 1 in 1' or 1 as a number, resolving the fingerprint into 1 (representing a number), taking 1 'or 1 as 1 with a single quotation mark but not closed, taking all the following characters as a character string, resolving the fingerprint into s (representing a character string) and integrating the fingerprint into' 1s ', and during the process of continuing resolving, firstly, the algorithm supplements the single quotation mark, supplements the single quotation mark into' 1 'or 1' 1, and is divided into three parts which are respectively resolved into s (character string), & (logical operators, and, or both belong to the same type) and 1 (number), and the integrated fingerprint information is s & 1.
In step S103, before the SVM risk assessment model is used for assessment, an attack fingerprint database may be used to perform attack determination on the fingerprint information, where the attack fingerprint database may be a library fingerprint database, and the fingerprint database may store an attack fingerprint sample in advance, and determine whether the URL information corresponding to the fingerprint information is attack information by sample comparison.
And if the attack information is not judged through the libinjunction fingerprint database, then evaluating by utilizing an SVM risk evaluation model.
In this embodiment, the SVM itself is a binary problem, which outputs only-1 or 1 given an input, representing negative and positive classes, respectively, the characteristic being determined by its decision function. The decision function is f (x) sign (w · kernel (x) + b), which is also called step function.
If an input sign greater than 0 outputs 1 and an input less than 0 outputs-1, the decision function is not suitable for the risk assessment, and if an input is 0.0001, he is close to 0 and may be directly classified as positive, for which case we should give him a risk rating, considering that he has a risk classified as positive, but very low. Therefore, the input is mapped to a probability value between 0 and 1, and probability estimation is carried out on the input. In order to realize mapping of an input to a probability value between 0 and 1, the present specification provides a decision function, specifically: f (x) sigmoid (w · kernel (x) + b), and the probability value can be obtained by this function.
In order to evaluate the fingerprint information by the above formula, in step S103, the obtained fingerprint information needs to be one-hot encoded, the encoded fingerprint information is input into the SVM to obtain a probability value, the probability value corresponding to the fingerprint information is evaluated by the SVM risk evaluation model, and an evaluation result is obtained, where the following table is an exemplary quantization table of the SVM risk evaluation model, as shown in table 1:
TABLE 1
And substituting the probability value of the fingerprint information calculated by the SVM into the table 1 so as to obtain an evaluation result.
In an obtaining SVM risk assessment model, a plurality of attack samples (the attack samples may be SQL-injected attack samples) may be obtained first, and the plurality of attack samples are subjected to probability training, so as to obtain the SVM risk assessment model in table 1.
According to the embodiment, the original data input by the user are input into the SVM risk assessment model for risk assessment, so that a risk assessment result is rapidly obtained, and the problem that the regular expression method is more and more difficult to meet the current requirement is solved.
An embodiment of the present specification further provides an attack detection model, as shown in fig. 2, where the attack detection model includes: the system comprises a fingerprint acquisition module, an algorithm detection module and a resource module;
decoding the acquired URL information by using the fingerprint acquisition module, acquiring user original data corresponding to the URL information, and acquiring fingerprint information of the user original data according to a database analysis algorithm;
performing risk assessment on the fingerprint information by using a Libinjection fingerprint database and an SVM risk assessment model contained in the algorithm detection module;
and storing the library fingerprint database and the SVM risk assessment model by using a resource module.
Wherein the user raw data comprises: the original character entered by the user.
The evaluating the fingerprint information by using the SVM risk evaluation model specifically comprises: and carrying out one-hot coding on the fingerprint information, and evaluating the coded fingerprint information through an SVM risk evaluation model.
In one embodiment, the obtaining of the SVM risk assessment model in the resource module includes obtaining a plurality of attack samples, training the attack samples, and using a training result as the SVM risk assessment model.
In another embodiment, before the fingerprint information is evaluated by using the SVM risk evaluation model, attack judgment is performed on the fingerprint information by using a libinjunction fingerprint database in the resource module;
if the fingerprint information does not belong to the fingerprints in the library fingerprint database, performing the evaluation on the fingerprint information by using an SVM risk evaluation model;
and if the fingerprint information is judged to belong to the fingerprints in the library fingerprint database, determining the URL information as attack information.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Other embodiments of the present description will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This specification is intended to cover any variations, uses, or adaptations of the specification following, in general, the principles of the specification and including such departures from the present disclosure as come within known or customary practice within the art to which the specification pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the specification being indicated by the following claims.
It will be understood that the present description is not limited to the precise arrangements described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present description is limited only by the appended claims.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.
Claims (10)
1. A method for detecting an attack, the method comprising:
acquiring URL information, decoding the URL information to acquire user original data corresponding to the URL information;
acquiring fingerprint information after analyzing the user original data according to a database analysis algorithm;
and evaluating the fingerprint information by using an SVM risk evaluation model, and judging whether the URL information is attack information according to an evaluation result.
2. The method of claim 1, wherein the user raw data comprises: the original character entered by the user.
3. The method according to claim 1, wherein the evaluating the fingerprint information using the SVM risk assessment model specifically comprises:
and carrying out one-hot coding on the fingerprint information, and evaluating the coded fingerprint information through an SVM risk evaluation model.
4. The method of claim 1, wherein the method of obtaining the SVM risk assessment model comprises:
and acquiring a plurality of attack samples, training the attack samples, and acquiring an SVM risk evaluation model according to a training result.
5. The method of claim 1, wherein prior to said evaluating the fingerprint information using the SVM risk assessment model, the method further comprises:
carrying out attack judgment on the fingerprint information by using an attack fingerprint database;
if the fingerprint information is judged not to belong to the attack fingerprint, evaluating the fingerprint information by utilizing an SVM risk evaluation model;
and if the fingerprint information is judged to belong to the attack fingerprint, determining the URL information as attack information.
6. An attack detection model, the model comprising: the system comprises a fingerprint acquisition module, an algorithm detection module and a resource module;
decoding the acquired URL information by using the fingerprint acquisition module, acquiring user original data corresponding to the URL information, and acquiring fingerprint information of the user original data according to a database analysis algorithm;
performing risk assessment on the fingerprint information by using a Libinjection fingerprint database and an SVM risk assessment model contained in the algorithm detection module;
and storing the library fingerprint database and the SVM risk assessment model by using a resource module.
7. The model of claim 6, wherein said user raw data comprises: the original character entered by the user.
8. The model of claim 1, wherein the evaluating the fingerprint information using the SVM risk assessment model specifically comprises:
and carrying out one-hot coding on the fingerprint information, and evaluating the coded fingerprint information through an SVM risk evaluation model.
9. The model of claim 1, wherein obtaining the SVM risk assessment model in the resource module is by obtaining a plurality of attack samples, training the plurality of attack samples, and taking the training result as the SVM risk assessment model.
10. The model of claim 1, wherein prior to said evaluating the fingerprint information using the SVM risk assessment model,
attack judgment is carried out on the fingerprint information by using a library fingerprint database in the resource module;
if the fingerprint information does not belong to the fingerprints in the library fingerprint database, performing the evaluation on the fingerprint information by using an SVM risk evaluation model;
and if the fingerprint information is judged to belong to the fingerprints in the library fingerprint database, determining the URL information as attack information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011350251.4A CN112560021A (en) | 2020-11-26 | 2020-11-26 | Attack detection method and attack detection model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011350251.4A CN112560021A (en) | 2020-11-26 | 2020-11-26 | Attack detection method and attack detection model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112560021A true CN112560021A (en) | 2021-03-26 |
Family
ID=75045756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011350251.4A Withdrawn CN112560021A (en) | 2020-11-26 | 2020-11-26 | Attack detection method and attack detection model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112560021A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| CN105959324A (en) * | 2016-07-15 | 2016-09-21 | 江苏博智软件科技有限公司 | Regular matching-based network attack detection method and apparatus |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN110245195A (en) * | 2019-04-29 | 2019-09-17 | 北京邮电大学 | Structured query language based on honey pot system injects detection method and device |
| CN111538925A (en) * | 2020-04-09 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Method and device for extracting Uniform Resource Locator (URL) fingerprint features |
| CN111585955A (en) * | 2020-03-31 | 2020-08-25 | 中南大学 | HTTP request abnormity detection method and system |
| CN111783132A (en) * | 2020-05-27 | 2020-10-16 | 平安科技(深圳)有限公司 | SQL sentence security detection method, device, equipment and medium based on machine learning |
-
2020
- 2020-11-26 CN CN202011350251.4A patent/CN112560021A/en not_active Withdrawn
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| CN105959324A (en) * | 2016-07-15 | 2016-09-21 | 江苏博智软件科技有限公司 | Regular matching-based network attack detection method and apparatus |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN110245195A (en) * | 2019-04-29 | 2019-09-17 | 北京邮电大学 | Structured query language based on honey pot system injects detection method and device |
| CN111585955A (en) * | 2020-03-31 | 2020-08-25 | 中南大学 | HTTP request abnormity detection method and system |
| CN111538925A (en) * | 2020-04-09 | 2020-08-14 | 支付宝(杭州)信息技术有限公司 | Method and device for extracting Uniform Resource Locator (URL) fingerprint features |
| CN111783132A (en) * | 2020-05-27 | 2020-10-16 | 平安科技(深圳)有限公司 | SQL sentence security detection method, device, equipment and medium based on machine learning |
Non-Patent Citations (2)
| Title |
|---|
| 楚翔皓 等: "基于 LSTM 神经网络的 SQL 注入攻击检测研究", 《天津理工大学学报》 * |
| 蒋磊: "基于机器学习的SQL注入检测技术研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110135157B (en) | Malicious software homology analysis method and system, electronic device and storage medium | |
| CN109271788B (en) | Android malicious software detection method based on deep learning | |
| Xue et al. | Malware classification using probability scoring and machine learning | |
| CN109905385B (en) | Webshell detection method, device and system | |
| CN109614795B (en) | Event-aware android malicious software detection method | |
| Zhu et al. | Android malware detection based on multi-head squeeze-and-excitation residual network | |
| US20200159925A1 (en) | Automated malware analysis that automatically clusters sandbox reports of similar malware samples | |
| CN111866004B (en) | Security assessment method, apparatus, computer system, and medium | |
| Song et al. | Permission Sensitivity-Based Malicious Application Detection for Android | |
| CN110489997A (en) | A kind of sensitive information desensitization method based on pattern matching algorithm | |
| CN116015703A (en) | Model training method, attack detection method and related devices | |
| CN115730313A (en) | Malicious document detection method and device, storage medium and equipment | |
| Assefa et al. | Intelligent phishing website detection using deep learning | |
| Nowroozi et al. | An adversarial attack analysis on malicious advertisement url detection framework | |
| CN112817877B (en) | Abnormal script detection method and device, computer equipment and storage medium | |
| CN105243327A (en) | Security processing method for files | |
| CN105468972A (en) | Mobile terminal file detection method | |
| Kuang et al. | Automated data-processing function identification using deep neural network | |
| Paik et al. | Malware classification using a byte‐granularity feature based on structural entropy | |
| CN113971283A (en) | Malicious application program detection method and device based on features | |
| CN113918936A (en) | SQL injection attack detection method and device | |
| CN112163217B (en) | Malware variant identification method, device, equipment and computer storage medium | |
| CN112560021A (en) | Attack detection method and attack detection model | |
| CN113836297A (en) | Training method and device for text emotion analysis model | |
| CN114528908A (en) | Network request data classification model training method, classification method and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210326 |