CN113645222A - Message flow detection method, system, device and computer readable storage medium - Google Patents

Message flow detection method, system, device and computer readable storage medium Download PDF

Info

Publication number
CN113645222A
CN113645222A CN202110907955.5A CN202110907955A CN113645222A CN 113645222 A CN113645222 A CN 113645222A CN 202110907955 A CN202110907955 A CN 202110907955A CN 113645222 A CN113645222 A CN 113645222A
Authority
CN
China
Prior art keywords
request message
detected
message
information
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110907955.5A
Other languages
Chinese (zh)
Inventor
娄宇
范渊
杨勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN202110907955.5A priority Critical patent/CN113645222A/en
Publication of CN113645222A publication Critical patent/CN113645222A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • G06F16/353Clustering; Classification into predefined classes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/205Parsing
    • G06F40/216Parsing using statistical methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/279Recognition of textual entities
    • G06F40/284Lexical analysis, e.g. tokenisation or collocates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Artificial Intelligence (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Biophysics (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Biomedical Technology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Databases & Information Systems (AREA)
  • Probability & Statistics with Applications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a message flow detection method, a system, a device and a computer readable storage medium, comprising: acquiring a request message to be detected; analyzing the request message to be detected, and acquiring dimension information of the request message to be detected; extracting feature information of the request message to be detected from the dimension information by using a preset feature extraction model; and analyzing the characteristic information by using a preset detection and identification model, and judging whether the request message to be detected belongs to a normal message. According to the method and the device, the request message is linearly analyzed to obtain bitmap information capable of reflecting the characteristics of the request message, useless data is filtered for subsequent characteristic extraction, extraction speed is increased, the characteristic information of the request message is extracted and analyzed by using a characteristic extraction model and a detection identification model of machine learning, whether the request message to be detected is a normal message or an abnormal message can be accurately and quickly judged, detection speed and accuracy are improved, and filtering performance and protective performance are improved.

Description

Message flow detection method, system, device and computer readable storage medium
Technical Field
The present invention relates to the field of cloud security, and in particular, to a method, a system, an apparatus, and a computer-readable storage medium for detecting packet traffic.
Background
Along with the informatization of life, people can not leave the internet in life, and the internet brings convenience to people and provides a criminal way for lawbreakers. The network attacker can customize the malicious request message to carry out network attack by utilizing the network characteristics.
In order to effectively prevent network attacks, the network security protection engine needs to detect the flow of each request message, but there are many normal request messages and few abnormal request messages every day, and if each request message is detected, the detection performance of the protection engine is greatly lost.
At present, a common method is to add rules to filter some normal request messages before detection, but the rules can only filter specific messages and cannot identify and filter some messages with similar semantics.
Therefore, a message traffic detection method with better protection performance is needed.
Disclosure of Invention
In view of this, the present invention provides a method, a system, a device and a computer readable storage medium for detecting message traffic, so as to improve protection performance. The specific scheme is as follows:
a message flow detection method comprises the following steps:
acquiring a request message to be detected;
analyzing the request message to be detected to acquire dimension information of the request message to be detected;
extracting the feature information of the request message to be detected from the dimension information by using a preset feature extraction model;
analyzing the characteristic information by using a preset detection identification model, and judging whether the request message to be detected belongs to a normal message or not;
the feature extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the feature information of the historical request message to be detected.
Optionally, the process of extracting the feature information of the request packet to be detected from the dimension information by using a preset feature extraction model includes:
and extracting the feature information of the request message to be detected from the dimension information by using a feature extraction model established based on a TFIDF algorithm or a word2vec algorithm.
Optionally, the analyzing the characteristic information by using a preset detection and identification model to determine whether the request packet to be detected belongs to a normal packet includes:
and analyzing the characteristic information by using a detection and identification model established based on a two-classification algorithm, and judging whether the request message to be detected belongs to a normal message.
Optionally, the process of analyzing the request packet to be detected and acquiring the dimension information of the request packet to be detected includes:
and analyzing the request message to be detected, and acquiring a request message header, a request URL (uniform resource locator) and a request message body of the request message to be detected.
The invention also discloses a message flow detection system, which comprises:
the message acquisition module is used for acquiring a request message to be detected;
the message analysis module is used for analyzing the request message to be detected and acquiring the dimension information of the request message to be detected;
the characteristic extraction module is used for extracting the characteristic information of the request message to be detected from the dimension information by using a preset characteristic extraction model;
the identification detection module is used for analyzing the characteristic information by using a preset detection identification model and judging whether the request message to be detected belongs to a normal message or not;
the feature extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the feature information of the historical request message to be detected.
Optionally, the feature extraction module is specifically configured to extract feature information of the request packet to be detected from the dimensional information by using a feature extraction model established based on a TFIDF algorithm or a word2vec algorithm.
Optionally, the identification detection module is specifically configured to analyze the feature information by using a detection identification model established based on a binary algorithm, and determine whether the request packet to be detected belongs to a normal packet.
Optionally, the message parsing module is specifically configured to parse the request message to be detected, and obtain a request message header, a request URL, and a request message body of the request message to be detected.
The invention also discloses a message flow detection device, which comprises:
a memory for storing a computer program;
a processor for executing the computer program to implement the message flow detection method as described above.
The invention also discloses a computer readable storage medium, which stores a computer program, and the computer program is executed by a processor to realize the message flow detection method.
The invention discloses a message flow detection method, which comprises the following steps: acquiring a request message to be detected; analyzing the request message to be detected, and acquiring dimension information of the request message to be detected; extracting feature information of the request message to be detected from the dimension information by using a preset feature extraction model; analyzing the characteristic information by using a preset detection recognition model, and judging whether the request message to be detected belongs to a normal message or not; the characteristic extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the characteristic information of the historical request message to be detected.
According to the method and the device, the request message is linearly analyzed to obtain bitmap information capable of reflecting the characteristics of the request message, useless data is filtered for subsequent characteristic extraction, the extraction speed is increased, the characteristic information of the request message is extracted and analyzed by using a characteristic extraction model and a detection identification model of machine learning respectively, whether the request message to be detected is a normal message or an abnormal message can be accurately and quickly judged, the detection speed and the detection accuracy are improved, and the filtering performance and the protection performance are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flow chart of a message traffic detection method disclosed in the embodiment of the present invention;
fig. 2 is a schematic structural diagram of an http protocol disclosed in an embodiment of the present invention;
fig. 3 is a schematic diagram of an http message structure disclosed in the embodiment of the present invention;
fig. 4 is a schematic structural diagram of a message traffic detection system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a message flow detection method, which is shown in figure 1 and comprises the following steps:
s11: acquiring a request message to be detected;
s12: and analyzing the request message to be detected to obtain the dimension information of the request message to be detected.
Specifically, after the request message to be detected is obtained, the dimensional information of the request message to be detected can be separated from the request message to be detected by using a simple analysis tool, and the dimensional information can be data capable of embodying the characteristics of the request message, such as a request message header, a request URL, a request message body, and the like. By preliminarily extracting the dimension information of the request message to be detected, a large amount of information which cannot reflect the characteristics of the request message in the request message can be filtered, so that the subsequent characteristic extraction speed is accelerated.
S13: and extracting the characteristic information of the request message to be detected from the dimension information by using a preset characteristic extraction model.
Specifically, a machine learning method is used for training the dimensional information of the historical request message to be detected to obtain a feature extraction model, and the feature information of the request message to be detected can be rapidly extracted from the dimensional information through the feature extraction model.
Further, the step of extracting the feature information of the request packet to be detected from the dimension information by using the preset feature extraction model in S13 may specifically include:
s131: and calculating a word frequency inverse document frequency matrix of the dimension information by using a TFIDF algorithm in the feature extraction model.
In particular, TF-IDF (Term Frequency Inverse Document Frequency) is a statistical method for evaluating the importance of a word to a Document set or one of the documents in a corpus. The importance of a word increases in proportion to the number of times it appears in a document, but at the same time decreases in inverse proportion to the frequency with which it appears in the corpus. The specific calculation formula is as follows:
Figure BDA0003202414610000051
Figure BDA0003202414610000052
TFIDF=TF*IDF;
in the formula, TFwIndicating the word frequency, IDF, of the word wwDenotes the inverse text frequency index of the word w and TFIDF denotes the word frequency inverse document frequency.
Specific examples are as follows:
suppose there are four documents, the contents of which are: "Chinese Beijing Chinese", "Chinese Chinese Shanghai", "Chinese Macao", "Tokyo Japan Chinese".
The feature vectors are [ 'beijing', 'chinensis', 'japan', 'macao', 'shanghai', 'tokyo' ].
The TF matrix is then:
[[1 2 0 0 0 0]
[0 2 0 0 1 0]
[0 1 0 1 0 0]
[0 1 1 0 0 1]]
the TFIDF matrix is then:
Figure BDA0003202414610000053
it can be understood that, in the process of calculating the word frequency inverse document frequency matrix for the request message, since the request message is all english, the letters in english can be extracted, and the word frequency can be calculated by permutation and combination of twelve files.
S132: and normalizing the word frequency inverse document frequency matrix by using a word2vec algorithm in the feature extraction model, and extracting feature information of the request message to be detected from the dimension information.
In particular, word2vec includes a series of models used to generate word vectors. These models are shallow, two-layer neural networks that are trained to reconstruct linguistic word text. The network is represented by words and the input words in adjacent positions are guessed, and the order of the words is unimportant under the assumption of the bag-of-words model in word2 vec. After training is completed, the word2vec model can be used to map each word to a vector, which can be used to represent word-to-word relationships, and the vector is a hidden layer of the neural network. After the vector of each word is obtained, the vectors of all words in a sentence can be added and averaged to be used as the vector representation of the sentence. word2vec includes both CBOW and Skip-gram models.
Specifically, the word frequency inverse document frequency matrix is subjected to normalization processing through a word2vec algorithm, and the dimension reduction can be performed on the word frequency inverse document frequency matrix, so that the feature information capable of effectively reflecting the features of the request message to be detected is screened out.
S14: and analyzing the characteristic information by using a preset detection and identification model, and judging whether the request message to be detected belongs to a normal message.
Specifically, the initial detection recognition model is trained by utilizing the characteristic information of the historical request messages to be detected, the obtained black samples with wrong recognition are added into the training set of the next training again for continuous training, and thus, the detection recognition model finally trained can be ensured to accurately recognize most request messages to be detected through repeated training, and the accuracy can be improved to more than 98%.
Specifically, the characteristic information may be analyzed by using a detection and recognition model established based on a two-classification algorithm, and whether the request packet to be detected belongs to a normal packet or not may be determined. Integrating feature information data of each dimension, and inputting the feature information data into a detection identification model to obtain a probability value result (p, q) of a request message to be detected, wherein p is a normal tendency value, q is an abnormal tendency value, p + q is 1, and both p and q are numerical values which are greater than or equal to 0 and less than or equal to 1; and adding threshold filtering, wherein if p is greater than or equal to a preset filtering threshold, the request message to be detected belongs to normal message data, and otherwise, the request message to be detected belongs to abnormal message data.
The binary algorithm can specifically select a support vector machine algorithm, an XGboost algorithm, a LightGBM algorithm and the like, can construct 5 layers of cross identification verification on the detection identification model, or can increase the number of verification layers according to the actual application requirements to improve the accuracy, or reduce the number of verification layers to improve the verification speed.
Therefore, the embodiment of the invention obtains the bitmap information capable of reflecting the characteristics of the request message by linearly analyzing the request message, filters useless data for subsequent characteristic extraction and accelerates the extraction speed, and extracts and analyzes the characteristic information of the request message by utilizing the characteristic extraction model and the detection identification model of machine learning respectively, so that whether the request message to be detected is a normal message or an abnormal message can be accurately and quickly judged, the detection speed and the detection accuracy are improved, and the filtering performance and the protection performance are improved.
Further, the embodiment of the present invention also discloses a specific application scenario of a message flow detection method for a request message to be detected in an http protocol, which includes:
specifically, as shown in fig. 2 and fig. 3, in general, attacks generally occur in a URI (uniform resource Identifier), a value field of a request header, and a request body part, and different feature extraction methods are adopted for different message types, for example, when extracting a feature value for a GET message, a feature value is extracted from the URI and the request header, and when extracting a feature value for a POST message, a feature value is extracted from the URI, the request header, and the request body string. Wherein, the initial line is the request line in the request message.
The processing mode of the URI part in the request message is as follows:
for example, http:// www.example.com/path/file. typeparam ═ value;
the http:// www.example.com/does not need to be processed, and path, file, file.type and value need to be extracted as four types of data with different dimensions.
The processing mode of the request header field in the request message is as follows:
for example: head 1: value 1;
header2:value2;
the header1_ value1, header2_ value2, value1 and value2 are required to be extracted as four types of data with different dimensions.
The extraction process of the request main body in the POST message is as follows:
specifically, the POST message analyzes the request body according to the Content-Type classification in the request header, for example, as shown in fig. 3, the Content-Type: extracting each value character string in key value in a request subject as feature extraction; and as Content-Type: and in application/json, extracting a value character string in { "key": value "} in the json message as feature extraction.
Correspondingly, the embodiment of the present invention further discloses a message traffic detection system, as shown in fig. 4, the system includes:
a message obtaining module 11, configured to obtain a request message to be detected;
the message analysis module 12 is configured to analyze the request message to be detected, and acquire dimension information of the request message to be detected;
the feature extraction module 13 is configured to extract feature information of the request message to be detected from the dimension information by using a preset feature extraction model;
the identification detection module 14 is configured to analyze the characteristic information by using a preset detection identification model, and determine whether the request message to be detected belongs to a normal message;
the characteristic extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the characteristic information of the historical request message to be detected.
Therefore, the embodiment of the invention obtains the bitmap information capable of reflecting the characteristics of the request message by linearly analyzing the request message, filters useless data for subsequent characteristic extraction and accelerates the extraction speed, and extracts and analyzes the characteristic information of the request message by utilizing the characteristic extraction model and the detection identification model of machine learning respectively, so that whether the request message to be detected is a normal message or an abnormal message can be accurately and quickly judged, the detection speed and the detection accuracy are improved, and the filtering performance and the protection performance are improved.
Specifically, the feature extraction module 13 is specifically configured to extract feature information of the request packet to be detected from the dimension information by using a feature extraction model established based on a TFIDF algorithm or a word2vec algorithm.
Specifically, the identification detection module 14 is specifically configured to analyze the characteristic information by using a detection identification model established based on a binary algorithm, and determine whether the request packet to be detected belongs to a normal packet.
Specifically, the message parsing module 12 is specifically configured to parse the request message to be detected, and obtain a request message header, a request URL, and a request message body of the request message to be detected.
In addition, the embodiment of the invention also discloses a message flow detection device, which comprises:
a memory for storing a computer program;
and the processor is used for executing the computer program to realize the message flow detection method.
In addition, the embodiment of the invention also discloses a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and when being executed by a processor, the computer program realizes the message flow detection method.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The technical content provided by the present invention is described in detail above, and the principle and the implementation of the present invention are explained in this document by applying specific examples, and the above description of the examples is only used to help understanding the method of the present invention and the core idea thereof; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A message flow detection method is characterized by comprising the following steps:
acquiring a request message to be detected;
analyzing the request message to be detected to acquire dimension information of the request message to be detected;
extracting the feature information of the request message to be detected from the dimension information by using a preset feature extraction model;
analyzing the characteristic information by using a preset detection identification model, and judging whether the request message to be detected belongs to a normal message or not;
the feature extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the feature information of the historical request message to be detected.
2. The message traffic detection method according to claim 1, wherein the process of extracting the feature information of the request message to be detected from the dimensional information by using a preset feature extraction model includes:
calculating a word frequency inverse document frequency matrix of the dimension information by using a TFIDF algorithm in the feature extraction model;
and normalizing the word frequency inverse document frequency matrix by using a word2vec algorithm in the feature extraction model, and extracting feature information of the request message to be detected from the dimension information.
3. The message traffic detection method according to claim 2, wherein the process of analyzing the feature information by using a preset detection recognition model and determining whether the request message to be detected belongs to a normal message comprises:
and analyzing the characteristic information by using a detection and identification model established based on a two-classification algorithm, and judging whether the request message to be detected belongs to a normal message.
4. The message flow detection method according to any one of claims 1 to 3, wherein the process of analyzing the request message to be detected and acquiring the dimension information of the request message to be detected includes:
and analyzing the request message to be detected, and acquiring a request message header, a request URL (uniform resource locator) and a request message body of the request message to be detected.
5. A message traffic detection system, comprising:
the message acquisition module is used for acquiring a request message to be detected;
the message analysis module is used for analyzing the request message to be detected and acquiring the dimension information of the request message to be detected;
the characteristic extraction module is used for extracting the characteristic information of the request message to be detected from the dimension information by using a preset characteristic extraction model;
the identification detection module is used for analyzing the characteristic information by using a preset detection identification model and judging whether the request message to be detected belongs to a normal message or not;
the feature extraction model is obtained by training through the dimension information of the historical request message to be detected, and the detection identification model is obtained by training through the feature information of the historical request message to be detected.
6. The message traffic detection system according to claim 5, wherein the feature extraction module is specifically configured to extract the feature information of the request message to be detected from the dimensional information by using a feature extraction model established based on a TFIDF algorithm or a word2vec algorithm.
7. The message traffic detection system according to claim 6, wherein the identification detection module is specifically configured to analyze the feature information by using a detection identification model established based on a classification algorithm, and determine whether the request message to be detected belongs to a normal message.
8. The message flow detection system according to any one of claims 5 to 7, wherein the message parsing module is specifically configured to parse the request message to be detected, and obtain a request message header, a request URL, and a request message body of the request message to be detected.
9. A message flow detection device is characterized by comprising:
a memory for storing a computer program;
a processor for executing the computer program to implement the message traffic detection method according to any of claims 1 to 4.
10. A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements the message traffic detection method according to any one of claims 1 to 4.
CN202110907955.5A 2021-08-09 2021-08-09 Message flow detection method, system, device and computer readable storage medium Withdrawn CN113645222A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110907955.5A CN113645222A (en) 2021-08-09 2021-08-09 Message flow detection method, system, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110907955.5A CN113645222A (en) 2021-08-09 2021-08-09 Message flow detection method, system, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN113645222A true CN113645222A (en) 2021-11-12

Family

ID=78420252

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110907955.5A Withdrawn CN113645222A (en) 2021-08-09 2021-08-09 Message flow detection method, system, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113645222A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114297641A (en) * 2021-12-31 2022-04-08 深信服科技股份有限公司 Method, system, storage medium and terminal for detecting abnormality of Web application

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110276640A (en) * 2019-06-10 2019-09-24 北京云莱坞文化传媒有限公司 More granularities of copyright are split and its method for digging of commercial value
CN111526141A (en) * 2020-04-17 2020-08-11 福州大学 Web anomaly detection method and system based on Word2vec and TF-IDF
US20210019422A1 (en) * 2019-07-17 2021-01-21 Vmware, Inc. Feature selection using term frequency-inverse document frequency (tf-idf) model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110276640A (en) * 2019-06-10 2019-09-24 北京云莱坞文化传媒有限公司 More granularities of copyright are split and its method for digging of commercial value
US20210019422A1 (en) * 2019-07-17 2021-01-21 Vmware, Inc. Feature selection using term frequency-inverse document frequency (tf-idf) model
CN111526141A (en) * 2020-04-17 2020-08-11 福州大学 Web anomaly detection method and system based on Word2vec and TF-IDF

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114297641A (en) * 2021-12-31 2022-04-08 深信服科技股份有限公司 Method, system, storage medium and terminal for detecting abnormality of Web application

Similar Documents

Publication Publication Date Title
CN106961419B (en) WebShell detection method, device and system
CN109858248B (en) Malicious Word document detection method and device
CN111818198B (en) Domain name detection method, domain name detection device, equipment and medium
CN113194058B (en) WEB attack detection method, equipment, website application layer firewall and medium
CN110909531B (en) Information security screening method, device, equipment and storage medium
EP3703329A1 (en) Webpage request identification
CN111444349A (en) Information extraction method and device, computer equipment and storage medium
CN113076735A (en) Target information acquisition method and device and server
CN112948725A (en) Phishing website URL detection method and system based on machine learning
CN112492606A (en) Classification and identification method and device for spam messages, computer equipment and storage medium
CN114650176A (en) Phishing website detection method and device, computer equipment and storage medium
CN113645222A (en) Message flow detection method, system, device and computer readable storage medium
CN113918936A (en) SQL injection attack detection method and device
CN115314268B (en) Malicious encryption traffic detection method and system based on traffic fingerprint and behavior
CN114169432B (en) Cross-site scripting attack recognition method based on deep learning
CN111083705A (en) Group-sending fraud short message detection method, device, server and storage medium
CN113472686B (en) Information identification method, device, equipment and storage medium
CN112468444B (en) Internet domain name abuse identification method and device, electronic equipment and storage medium
CN109977298A (en) A method of extracting the accurate substring of longest from regular expression
CN114722385A (en) Flow information analysis method, system and related components
CN116414976A (en) Document detection method and device and electronic equipment
CN114048311A (en) Phishing early warning method, device, equipment and storage medium
CN113992390A (en) Phishing website detection method and device and storage medium
KR20220157565A (en) Apparatus and method for detecting web scanning attack
CN115329756B (en) Execution body extraction method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20211112

WW01 Invention patent application withdrawn after publication