CN115499222A

CN115499222A - Training method of malicious request detection model, and malicious request identification method and equipment

Info

Publication number: CN115499222A
Application number: CN202211144655.7A
Authority: CN
Inventors: 黄蕾; 郑鹏飞; 王晨亦; 王实美
Original assignee: Agricultural Bank of China
Current assignee: Agricultural Bank of China
Priority date: 2022-09-20
Filing date: 2022-09-20
Publication date: 2022-12-20

Abstract

According to the training method of the malicious request detection model, electronic equipment annotates request paths and request parameters in the malicious sample requests by obtaining malicious sample requests and non-malicious sample requests to generate annotated malicious sample requests, and trains a neural network model through the annotated malicious sample requests and the non-malicious sample requests to obtain the malicious request detection model. In the technical scheme, the malicious request detection model obtained by training has analysis capability and learning capability, variant attack or novel attack can be effectively identified, and the identification accuracy is improved.

Description

Training method of malicious request detection model, and malicious request identification method and equipment

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method for training a malicious request detection model, a method for identifying a malicious request, and a device for identifying a malicious request.

Background

In recent years, with the popularization of World Wide Web (Web) applications, the problem of Web security has also become more serious. Since the Web application attack may come from any online user, the online user may even be an authenticated user, so that the Web application attack is difficult to discover, and the information security of the user is seriously threatened.

At present, in order to deal with the problem of Web security, a blacklist rule base is mainly established in advance based on known attack characteristics, after a request is received, the request is subjected to characteristic matching with the known attack characteristics in the blacklist rule base, the request is considered to be a malicious request when matching is successful, otherwise, the request is considered to be a non-malicious request when matching is unsuccessful, and therefore the purpose of identifying the malicious request is achieved.

However, the prior art can only identify existing Web application attacks, and cannot identify variant attacks or new types of attacks.

Disclosure of Invention

The application provides a training method of a malicious request detection model, a malicious request identification method and equipment, and aims to solve the problem that the prior art can only identify the existing Web application attack and cannot identify variant attack or novel attack.

In a first aspect, an embodiment of the present application provides a method for training a malicious request detection model, including:

acquiring a malicious sample request and a non-malicious sample request;

annotating the request path and the request parameters in the malicious sample request to generate an annotated malicious sample request;

and training a neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.

In one possible design of the first aspect, the request parameter includes at least one of the following sub-parameters:

the type of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in parameter values, the number ratio of the first preset characters to total characters in the parameter values, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request, and access resource information.

In another possible design of the first aspect, the annotating the request path and the request parameters in the malicious sample request to generate an annotated malicious sample request includes:

decoding a request path in the malicious sample request, converting uppercase characters of a character string obtained after decoding into lowercase, and generating a first malicious sample request;

dividing each sub-parameter in the first malicious sample request through a second preset character, and connecting the divided sub-parameters through a third character to generate a second malicious sample request;

and annotating the processed request path in the second malicious sample request and the sub-parameters to generate the annotated malicious sample request.

In a second aspect, an embodiment of the present application provides a malicious request identification method, including:

acquiring a request to be identified;

inputting the request to be identified into a malicious request detection model, and obtaining a detection result, where the malicious request detection model is obtained by training with the method according to any one of the first aspect, and the detection result is used to indicate whether the request to be identified is a malicious request.

In one possible design of the second aspect, the method further includes:

if the detection result indicates that the request to be identified is a malicious request, intercepting the request to be identified, generating a corresponding error log, and returning error information to the terminal equipment which sends the request to be identified, wherein the error information is used for indicating that the request to be identified cannot be successfully sent to a corresponding server;

and if the detection result indicates that the request to be identified is a non-malicious request, forwarding the request to be identified to the corresponding server.

Optionally, the inputting the request to be identified into a malicious request detection model to obtain a detection result includes:

judging whether the terminal equipment has the authority to carry out information interaction with the server;

if yes, judging the type of the request to be identified;

if the type of the request to be identified is a GET request type, inputting a request head of the request to be identified into the malicious request detection model, and acquiring a detection result;

and if the type of the request to be identified is a POST request type, inputting a request head and a request body of the request to be identified into the malicious request detection model, and obtaining the detection result.

In a third aspect, an embodiment of the present application provides a training apparatus for a malicious request detection model, including:

the acquisition module is used for acquiring a malicious sample request and a non-malicious sample request;

the processing module is used for annotating the request path and the request parameters in the malicious sample request to generate an annotated malicious sample request;

and the training module is used for training a neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.

In one possible design of the third aspect, the request parameter includes at least one of the following sub-parameters:

the malicious sample request comprises the type of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in parameter values, the number ratio of the first preset characters to total characters in the parameter values, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request, and access resource information.

In another possible design of the third aspect, the processing module is specifically configured to:

In a fourth aspect, an embodiment of the present application provides a malicious request identification apparatus, including:

the acquisition module is used for acquiring a request to be identified;

an input module, configured to input the request to be identified into a malicious request detection model, and obtain a detection result, where the malicious request detection model is obtained by training using the method according to any one of the first aspects, and the detection result is used to indicate whether the request to be identified is a malicious request.

In one possible design of the fourth aspect, the apparatus further includes:

the sending module is used for intercepting the request to be identified if the detection result indicates that the request to be identified is a malicious request, generating a corresponding error log, and returning error information to the terminal equipment sending the request to be identified, wherein the error information is used for indicating that the request to be identified is not successfully sent to a corresponding server;

the sending module is further configured to forward the request to be identified to the corresponding server if the detection result indicates that the request to be identified is a non-malicious request.

Optionally, the input module is specifically configured to:

if yes, judging the type of the request to be identified;

In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and computer program instructions stored on the memory and executable on the processor for implementing the method of the first aspect and each possible design when the processor executes the computer program instructions.

In a sixth aspect, embodiments of the present application may provide a computer-readable storage medium having stored therein computer-executable instructions for implementing the method provided by the first aspect and each possible design when executed by a processor.

According to the training method of the malicious request detection model, the electronic device annotates the request path and the request parameters in the malicious sample request by acquiring the malicious sample request and the non-malicious sample request to generate the annotated malicious sample request, and trains the neural network model through the annotated malicious sample request and the non-malicious sample request to obtain the malicious request detection model. In the technical scheme, the malicious request detection model obtained by training has analysis capability and learning capability, so that variant attack or novel attack can be effectively identified, and the identification accuracy is improved. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has high applicability.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic diagram of a network architecture to which a malicious request detection model training method and a malicious request identification method provided in the embodiment of the present application are applicable;

fig. 2 is a schematic flowchart of a first embodiment of a method for training a malicious request detection model according to an embodiment of the present disclosure;

fig. 3 is a flowchart illustrating a second embodiment of a method for training a malicious request detection model according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a third embodiment of a training method for a malicious request detection model according to an embodiment of the present application;

fig. 5 is a schematic flowchart illustrating a first embodiment of a malicious request identification method according to an embodiment of the present application;

fig. 6 is a flowchart illustrating a second malicious request identification method according to an embodiment of the present application;

fig. 7 is a schematic flowchart of a third embodiment of a malicious request identification method according to an embodiment of the present application;

fig. 8 is a schematic flowchart of a fourth embodiment of a malicious request identification method according to an embodiment of the present application;

fig. 9 is a schematic structural diagram of a training apparatus for a malicious request detection model according to an embodiment of the present disclosure;

fig. 10 is a schematic structural diagram of a malicious request identification method and apparatus according to an embodiment of the present disclosure;

fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. The drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the concepts of the application by those skilled in the art with reference to specific embodiments.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.

Before describing embodiments of the present application, terms referred to in the embodiments of the present application will be explained:

deep learning: by utilizing the intrinsic rule and the expression level of the learning sample data, the machine can have the analysis capability and the learning capability like a human. The learning sample data is the malicious sample request and the non-malicious sample request of the application.

Attack: in information security technology, it is planned to eavesdrop, steal, damage information, or deny access to other authorized users.

The Web application comprises the following steps: an application program can be accessed through a browser, and a user only needs to install the browser and does not need to install other software.

Data packet filtering: routers or other hardware devices are used to monitor and filter incoming and outgoing Internet Protocol (IP) packets on the network and to reject suspicious packets.

Malicious request: requests threatening data or service security include acquiring server-side sensitive data, cross Site Script Attack (XSS) Attack, structured Query Language (SQL) injection, cross-Site domain request forgery, and the like.

Next, the application background of the present application will be described:

with the rapid development of information technology in modern society, information security technology has become one of the very important technologies in the field of data analysis. However, the attacking means and techniques of attackers are increasingly complicated, so that business systems face huge security challenges. Under the circumstances, how to effectively identify the Web malicious request becomes a problem which needs to be solved urgently.

Malicious requests are currently mainly identified by the following means:

(1) And a blacklist rule base based detection method: and manually summarizing the characteristics of the known attacks, establishing a blacklist rule base, performing characteristic matching on the request and the known attack characteristics in the blacklist rule base after receiving the request, considering the request as a malicious request when the matching is successful, and considering the request as a non-malicious request when the matching is unsuccessful. However, the black list rule base is difficult to develop and maintain, and a rule writer is required to have strong attack feature summarizing capacity; meanwhile, the method belongs to a lagging defense technology, only can identify the existing Web application attack, can not identify variant attack or novel attack, can not take effective measures before or during attack, can only remedy the damage after attack, and can not be used for unknown threat.

(2) And based on a security policy detection method: only regular requests are passed and all fuzzy requests are prohibited. Wherein the regular request may be preconfigured by the relevant staff. However, the method is easy to misjudge non-malicious requests in the fuzzy requests as malicious requests; in addition, if the Web application is updated, the security policy also needs to be updated synchronously, so that the method is not suitable for application scenes with high update frequency.

(3) And a data packet filtering-based detection method: filtering and limiting Transmission Control Protocol (TCP)/IP packets are implemented at the network layer, thereby filtering out non-malicious requests. However, the implementation steps of the method are complex, network congestion is easily caused in a high concurrency situation, and response is slow.

Based on the above problems, the present application provides a training method for a malicious request detection model and a malicious request identification method, which can train a neural network model by using a malicious sample request and a non-malicious sample request as training sets, so as to obtain a malicious request detection model. Therefore, in the actual application process, whether the request sent by the terminal equipment is a malicious request can be identified by using the malicious request detection model. Because the malicious request detection model has analysis capability and learning capability, variant attack or novel attack can be effectively identified, the labor cost is saved, the identification accuracy and the processing efficiency are improved, and the adaptability to application scenes is high.

For example, the training method of the malicious request detection model and the malicious request identification method provided in the embodiment of the present application may be applied to the network structure diagram shown in fig. 1. Fig. 1 is a schematic diagram of a network architecture to which a malicious request detection model training method and a malicious request identification method provided in an embodiment of the present application are applicable. As shown in fig. 1, the network structure may include: terminal equipment 11, electronic equipment 12, server 13. Optionally, the network structure may further include a sample request database 14, where the sample request database 14 stores a plurality of malicious sample requests and a plurality of non-malicious sample requests, and the electronic device 12 is in wireless communication with the terminal device 11, the server 13, and the sample request database 14, respectively.

For example, referring to fig. 1, the electronic device 12 may obtain a malicious sample request and a non-malicious sample request from the sample request database 14, and train a pre-stored neural network model according to the obtained malicious sample request and the non-malicious sample request, so as to generate a malicious request detection model. Further, the electronic device 12 may further obtain a request sent by the terminal device 11 for data interaction with the server 13, and input the request into a malicious request detection model for identification, so as to obtain a detection result indicating whether the request is a malicious request.

It should be noted that fig. 1 is only a schematic diagram of a network structure provided in the embodiment of the present application, and the embodiment of the present application does not limit the devices included in fig. 1, nor the location relationship between the devices in fig. 1, for example, in fig. 1, the sample request database 14 may be an external database with respect to the electronic device 12, and in other cases, the sample request database 14 may also be disposed in the electronic device 12.

It can be understood that the execution subject of the embodiment of the present application may be a terminal device, for example, a computer, a tablet computer, or the like, or may also be a server, for example, a background processing platform, or the like. Therefore, the present embodiment is explained by referring to the terminal device and the server collectively as the electronic device, and it can be determined as the actual situation as to whether the electronic device is specifically the terminal device or the server.

In an embodiment of the present application, the electronic device 12 may include a model generation module 121 and an attack detection module 122, where the model generation module 121 includes a data stream parser 1211, a data stream processing annotator 1212, and a deep learning trainer 1213; attack detection module 122 includes data stream parser 1221, attack detector 1222.

The data stream parser 1211 may be used to obtain malicious sample requests as well as non-malicious sample requests, among others.

The data stream processing annotator 1212 may be configured to annotate the request path and the request parameters in the malicious sample request, and generate an annotated malicious sample request.

The deep learning trainer 1213 may be configured to train the neural network model through the annotated malicious sample request and the non-malicious sample request, so as to obtain a malicious request detection model.

The data stream parser 1221 may be used to obtain a request to be recognized.

Attack detector 1222 may be configured to input the request to be identified into a malicious request detection model, and obtain a detection result.

The following describes the technical solution of the present application and how to solve the above technical problems in detail by using specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

It should be noted that the following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments.

Fig. 2 is a schematic flowchart of a first embodiment of a method for training a malicious request detection model according to an embodiment of the present application. As shown in fig. 2, the method for training the malicious request detection model may include the following steps:

s201, acquiring a malicious sample request and a non-malicious sample request.

The non-malicious sample request is a request transmitted in a normal data interaction process between the terminal device and the server, and the malicious sample request and the non-malicious sample request can be requests sent to the electronic device by an attacker through the terminal device at historical time.

Alternatively, the malicious sample requests as well as the non-malicious sample requests may be HTTP requests.

Optionally, the malicious sample requests and the non-malicious sample requests may be stored together in a sample request database; the malicious sample requests and the non-malicious sample requests can also be stored in two different databases respectively, for example, the malicious sample requests are stored in a first database, and the non-malicious sample requests are stored in a second database; the malicious sample request and the non-malicious sample request can be acquired from the sample request database by the electronic device, and the malicious sample request and the non-malicious sample request can also be acquired from the first database and the second database respectively.

Optionally, the number of the malicious sample requests may be one or multiple, and the number of the non-malicious sample requests may also be one or multiple, and may be determined according to actual situations.

S202, annotating the request path and the request parameters in the malicious sample request to generate an annotated malicious sample request.

Because request parameters are various in types and rich in semantics, subsequent model training cannot be performed by directly using a malicious sample request, and therefore, key information in the malicious sample request needs to be represented in a proper manner. Because the components of the HTTP request are relatively fixed, each part has good structural characteristics, and therefore the request path and the request parameters can be annotated according to the structural characteristics of each part, so that the neural network model can be trained subsequently.

Optionally, in order to avoid the dimension of the sub-parameter of the request parameter being too high, the sub-parameter of the request parameter may be set in advance, where the request parameter may include at least one of the following sub-parameters:

the type of the malicious sample request, the character length of the ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in parameter values, the number ratio of the first preset characters to total characters in the parameter values, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request, and the access resource information.

Optionally, the request parameter includes at least one sub-parameter, and each sub-parameter in the request parameter may be segmented first and then annotated.

For example, the first preset character may be "'", "$", "#", and the like, and may be preset according to an actual requirement, which is not specifically limited in the embodiment of the present application.

For example, the preset character string may be "drop", "alert", "script", and the like, and may be preset according to an actual requirement, which is not specifically limited in the embodiment of the present application.

It should be understood that the first predetermined character and the predetermined character string are related to a malicious request, that is, in practical applications, the malicious request usually includes the first predetermined character and the predetermined character string.

S203, training the neural network model through the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.

In the embodiment of the application, the annotated malicious sample request and the non-malicious sample request are training sets, and the neural network model is trained through the training sets, so that the obtained malicious request detection model has the capability of recognizing the malicious request.

Optionally, the neural network model may be pre-stored in the electronic device by a relevant worker, and may also be obtained from a network or other database storing the neural network model, and the method for obtaining the neural network model is not specifically limited in this application.

According to the training method for the malicious request detection model, the electronic device annotates the request path and the request parameters in the malicious sample request by obtaining the malicious sample request and the non-malicious sample request to generate the annotated malicious sample request, and trains the neural network model by the annotated malicious sample request and the non-malicious sample request to obtain the malicious request detection model. In the technical scheme, the malicious request detection model obtained by training has analysis capability and learning capability, so that variant attack or novel attack can be effectively identified, and the identification accuracy is improved. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has high applicability.

Optionally, in some embodiments, before the neural network model is trained by the annotated malicious sample request and the non-malicious sample request, the annotated malicious sample request and the non-malicious sample request may be further converted into an expression form understandable by the electronic device, for example, into 2-ary, and then the neural network model is trained by the converted training set.

Optionally, in some embodiments, S201 may be implemented by: the method comprises the steps of obtaining an initial malicious sample request and an initial non-malicious sample request, formatting the initial malicious sample request and the initial non-malicious sample request, only reserving request paths and request parameter parts in the initial malicious sample request and the initial non-malicious sample request, and deleting other redundant data, so that the malicious sample request and the non-malicious sample request are obtained, and the subsequent training efficiency is improved.

Optionally, fig. 3 is a schematic flowchart of a second embodiment of a method for training a malicious request detection model according to the embodiment of the present application. As shown in fig. 3, in connection with the embodiment shown in fig. 2, S202 may be implemented by the following steps:

s301, decoding a request path in the malicious sample request, converting uppercase characters of a character string obtained after decoding into lowercase, and generating a first malicious sample request.

For example, it is assumed that a character string obtained by decoding a request path in a malicious sample request is: and if the http:// localhost: ABCD/123ABCd, converting the capital characters into lowercase characters to obtain a character string of http:// localhost: ABCD/123ABCD.

S302, segmenting sub-parameters in the first malicious sample request through second preset characters, and connecting the segmented sub-parameters through third characters to generate a second malicious sample request.

For example, the third character may be a space, or may be another special character, and may be configured in advance according to actual requirements, which is not limited in this embodiment of the application.

And S303, annotating the processed request path and each sub-parameter in the second malicious sample request to generate an annotated malicious sample request.

In the embodiment, since the attack load of the malicious request is a command sequence which is composed of the special symbol and the attack keyword and has a certain structure, the malicious request detection model can better pay attention to the first preset character and the preset character string which are equal to the sensitive character related to the malicious request by annotating each sub-parameter, so that the recognition efficiency and the accuracy are improved.

In conjunction with the training method of the malicious request detection model in the foregoing embodiments, the method is exemplified by a specific example.

Fig. 4 is a flowchart illustrating a third embodiment of a method for training a malicious request detection model according to an embodiment of the present application. As shown in fig. 4, the method for training the malicious request detection model may include the following steps:

the electronic device may obtain an initial malicious sample request and an initial non-malicious sample request, format the initial malicious sample request and the initial non-malicious sample request through the data stream parser 1211, and obtain the malicious sample request and the non-malicious sample request. Then, the request path and the request parameters in the malicious sample request are annotated by the data stream processing annotator 1212, so as to generate an annotated malicious sample request. Finally, the deep learning trainer 1213 trains the neural network model according to the annotated malicious sample request and the non-malicious sample request to obtain a malicious request detection model.

After the malicious request detection model is obtained, the malicious request detection model can be used for identifying the request to be identified, which is sent by the terminal device. The following describes in detail a method for identifying a to-be-identified request by using the malicious request detection model in conjunction with a specific embodiment. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.

In a specific implementation, an execution subject of the malicious request identification method may also be an electronic device with processing capability, such as a terminal or a server. It should be understood that the electronic device executing the malicious request identification method may be the same device as the electronic device executing the malicious request detection model training method, or may be a different device.

Fig. 5 is a flowchart illustrating a malicious request identification method according to a first embodiment of the present application. As shown in fig. 5, the malicious request identification method may include the following steps:

s501, acquiring a request to be identified.

In the embodiment of the application, the request to be identified is a request sent by the terminal device to the server and used for data interaction with the server. The electronic device can obtain the request before the request reaches the server, and identify whether the request is a malicious request, so as to protect the data security of the server.

Alternatively, the request to be identified may be an HTTP request.

Optionally, the number of the to-be-identified requests in this step may be 1, or may be multiple, when the number of the to-be-identified requests is multiple, the multiple to-be-identified requests may be used for data interaction between the same terminal device and the same server, between the same terminal device and different servers, between different terminal devices and the same server, or between different terminal devices and different servers, or may be multiple, which is not specifically limited in this application.

Optionally, the electronic device may further obtain an initial request to be identified, format the initial request to be identified, only retain a request path and a request parameter portion of the initial request to be identified, and delete other redundant data, thereby obtaining the request to be identified.

S502, inputting the request to be identified into a malicious request detection model, and obtaining a detection result.

The malicious request detection model is obtained by training by adopting the method of the embodiment, and the detection result is used for indicating whether the request to be identified is a malicious request.

For example, the detection result may be "the request to be identified is a malicious request" or "the request to be identified is a non-malicious request".

According to the malicious request identification method provided by the embodiment of the application, the electronic equipment acquires the request to be identified, inputs the request to be identified into the malicious request detection model, and accordingly acquires the detection result. In the technical scheme, before the request to be identified is sent to the server, the request is identified through the malicious request detection model, and the data security of the server is effectively ensured. Meanwhile, the malicious request detection model has analysis capability and learning capability, can effectively identify variant attack or novel attack, and improves the identification accuracy. Meanwhile, the technical scheme does not need manual intervention, saves labor cost, can be suitable for various application scenes, and has high applicability.

Optionally, in some embodiments, the malicious request identification method may further include the following steps:

if the detection result indicates that the request to be identified is a malicious request, intercepting the request to be identified, generating a corresponding error log, returning error information to the terminal equipment sending the request to be identified, and if the detection result indicates that the request to be identified is a non-malicious request, forwarding the request to be identified to a corresponding server.

The error information is used for explaining that the request to be identified is not successfully sent to the corresponding server.

In the embodiment, the to-be-identified request is processed differently according to different contents indicated by the detection result, so that the subsequent normal processing of the non-malicious request is ensured, and when the to-be-identified request is detected to be a malicious request, the error information is returned to the terminal device sending the to-be-identified request, so that the relevant worker can repair the request in time under the condition of misjudgment of the to-be-identified request.

Optionally, in some embodiments, in combination with the embodiment shown in fig. 5, S502 may be implemented by the following steps:

and judging whether the terminal equipment has the authority to perform information interaction with the server, if so, judging the type of the request to be identified, and if the type of the request to be identified is the type of the acquisition (English: GET) request, inputting a request header of the request to be identified into a malicious request detection model to obtain a detection result. And if the type of the request to be identified is a sending (English: POST) request type, inputting a request head and a request body of the request to be identified into a malicious request detection model, and obtaining a detection result.

In the embodiment, before the identification request is identified, whether the terminal equipment has the authority to perform information interaction with the server or not is judged, so that the data safety of the server is effectively ensured, the subsequent identification operation is not performed when the terminal equipment has no authority, the redundant operation is reduced, and the identification efficiency is improved. Meanwhile, different parts of data are extracted according to the type of the request to be identified and input into the malicious request detection model for identification processing, so that the processing of the malicious request detection model on redundant data is reduced, and the identification processing efficiency is improved.

In combination with the training method of the malicious request identification method in each of the above embodiments, the method is exemplified by three specific examples.

Example 1 and fig. 6 are schematic flow charts of a second malicious request identification method provided in an embodiment of the present application. As shown in fig. 6, the malicious request identification method may further include the following steps:

the electronic device obtains the initial request to be recognized, and formats the initial request to be recognized through the data stream parser 1221 to obtain the initial request to be recognized. Thereafter, the request to be identified is input to the malicious request detection model by the attack detector 1222, and a detection result is obtained.

Example 2 and fig. 7 are schematic flow diagrams of a third embodiment of a malicious request identification method provided in the embodiment of the present application. As shown in fig. 7, the malicious request identification method may further include the following steps:

step 1, receiving an HTTP request line.

And 2, receiving the data stream through the buffer area, executing the step 3 if the data stream is successfully received, and executing the step 8 if the data stream is not successfully received.

Wherein, the data stream is the initial request to be identified.

And 3, verifying the integrity of the received data stream, if the integrity passes through the step 4, and if the integrity fails, executing the step 8.

And 4, analyzing the request header and the request body of the data stream through the analyzer, executing the step 5 if the analysis is normal, and executing the step 8 if the analysis is failed.

Step 5, acquiring the parameter characteristics of the request line, executing step 6 if the protocol version of the data stream is more than HTTP1.0, and taking the data stream as the request to be identified and executing step 7 if the protocol version is less than HTTP 1.0;

step 6, analyzing the header field of the data stream, and formatting the header field;

and 7, outputting a request to be identified, and stopping executing subsequent steps after the step is executed.

And 8, closing the connection with the terminal equipment for sending the data stream.

Example 3 and fig. 8 are schematic flow diagrams illustrating a fourth embodiment of a malicious request identification method provided in an embodiment of the present application. As shown in fig. 8, the malicious request identification method may further include the following steps:

s801, acquiring a request to be identified.

S802, detecting whether the terminal equipment sending the request to be identified has the right to access the server corresponding to the request to be identified, if so, executing S803, otherwise, ending.

And S803, acquiring a request header of the request to be identified.

And S804, judging the type of the request to be identified, executing S805 if the request is a POST request, and executing S806 if the request is a GET request.

And S805, acquiring a request body of the request to be identified.

S806, identifying whether the request head and/or the request body have abnormal behaviors through a malicious request detection model, if so, executing S807, and otherwise, executing S808.

And S807, intercepting the request to be identified, generating a corresponding error log, and returning error information to the terminal equipment.

And S808, forwarding the request to be identified to a corresponding server.

The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.

Fig. 9 is a schematic structural diagram of a training apparatus for a malicious request detection model according to an embodiment of the present application. As shown in fig. 9, the training apparatus of the malicious request detection model includes:

the obtaining module 91 is configured to obtain the malicious sample request and the non-malicious sample request.

The processing module 92 is configured to annotate the request path and the request parameters in the malicious sample request, and generate an annotated malicious sample request.

And the training module 93 is configured to train the neural network model through the annotated malicious sample request and the non-malicious sample request, so as to obtain a malicious request detection model.

In one possible design of the embodiment of the present application, the request parameter includes at least one of the following sub-parameters:

the method comprises the following steps of determining the type of a malicious sample request, the character length of the malicious sample request, the character length of a ciphertext string, the character length ratio of the ciphertext string to the malicious sample request, the number of first preset characters in parameter values, the number ratio of the first preset characters to total characters in the parameter values, the number of preset character strings, the number ratio of the preset character strings to the total character strings in the malicious sample request, and access resource information.

In another possible design of the embodiment of the present application, the processing module 92 is specifically configured to:

and decoding a request path in the malicious sample request, converting uppercase characters of the character string obtained after decoding into lowercase, and generating a first malicious sample request.

And segmenting each sub-parameter in the first malicious sample request through a second preset character, and connecting the segmented sub-parameters through a third character to generate a second malicious sample request.

And annotating the processed request path and each sub-parameter in the second malicious sample request to generate an annotated malicious sample request.

The obtaining module 91 may be the data stream parser 1211, the processing module 92 may be the data stream processing annotator 1212, and the training module 93 may be the deep learning trainer 1213.

The training device for the malicious request detection model provided in the embodiment of the application can be used for executing the training method for the malicious request detection model in any embodiment, and the implementation principle and the technical effect are similar, and are not repeated herein.

Fig. 10 is a schematic structural diagram of a malicious request identification method and apparatus according to an embodiment of the present application. As shown in fig. 10, the malicious request recognition apparatus includes:

an obtaining module 1001 is configured to obtain a request to be identified.

The input module 1002 is configured to input the request to be identified into a malicious request detection model, and obtain a detection result, where the malicious request detection model is obtained by using the method according to any one of the first aspect, and the detection result is used to indicate whether the request to be identified is a malicious request.

In one possible design of the embodiment of the present application, the apparatus further includes:

and the sending module is used for intercepting the request to be identified if the detection result indicates that the request to be identified is a malicious request, generating a corresponding error log, and returning error information to the terminal equipment sending the request to be identified, wherein the error information is used for indicating that the request to be identified is not successfully sent to the corresponding server.

And the sending module is further used for forwarding the request to be identified to the corresponding server if the detection result indicates that the request to be identified is a non-malicious request.

Optionally, the input module 1002 is specifically configured to:

and judging whether the terminal equipment has the authority to carry out information interaction with the server.

If yes, judging the type of the request to be identified.

And if the type of the request to be identified is the GET request type, inputting a request head of the request to be identified into a malicious request detection model, and obtaining a detection result.

And if the type of the request to be identified is the POST request type, inputting a request head and a request body of the request to be identified into a malicious request detection model, and obtaining a detection result.

The obtaining module 1001 may be the data stream parser 1221, and the inputting module 1002 may be the attack detector 1222.

The malicious request identification device provided in the embodiment of the application can be used for executing the malicious request identification method in any embodiment, and the implementation principle and the technical effect are similar, and are not described again here.

It should be noted that the division of each module of the above apparatus is only a logical division, and all or part of the actual implementation may be integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or can be implemented in the form of hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.

Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 11, the electronic device 12 may include: the processor 1101, the memory 1102 and computer program instructions stored on the memory 1102 and executable on the processor 1101 implement the training method and/or the malicious request identification method of the malicious request detection model provided by any of the foregoing embodiments when the processor 1101 executes the computer program instructions.

Alternatively, the above devices of the electronic device 12 may be connected by a system bus.

The memory 1102 may be a separate memory unit or a memory unit integrated into the processor. The number of processors is one or more.

Optionally, the electronic device 12 may also include interfaces to interact with other devices.

The transceiver is used to communicate with other computers, and the transceiver constitutes a communication interface.

It should be appreciated that the Processor 1101 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), etc. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in this application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in a processor.

The system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The memory may include a Random Access Memory (RAM) and may also include a non-volatile memory (NVM), such as at least one disk memory.

All or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The aforementioned program may be stored in a readable memory. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid state disk, magnetic tape (magnetic tape), floppy disk (optical disk), and any combination thereof.

The electronic device provided in the embodiment of the present application may be configured to execute the malicious request detection model training method and/or the malicious request identification method provided in any of the above method embodiments, and the implementation principle and the technical effect are similar, which are not described herein again.

An embodiment of the present application provides a computer-readable storage medium, where a computer execution instruction is stored in the computer-readable storage medium, and when the computer execution instruction is executed on a computer, the computer is enabled to execute the above training method for a malicious request detection model and/or the malicious request identification method.

The computer-readable storage medium may be any type of volatile or non-volatile storage device or combination thereof, such as static random access memory, electrically erasable programmable read only memory, magnetic memory, flash memory, magnetic or optical disk. Readable storage media can be any available media that can be accessed by a general purpose or special purpose computer.

Alternatively, a readable storage medium may be coupled to the processor such that the processor can read information from, and write information to, the readable storage medium. Of course, the readable storage medium may also be an integral part of the processor. The processor and the readable storage medium may reside in an Application Specific Integrated Circuits (ASIC). Of course, the processor and the readable storage medium may also reside as discrete components in the apparatus.

Embodiments of the present application further provide a computer program product, where the computer program product includes a computer program, where the computer program is stored in a computer-readable storage medium, and the computer program can be read by at least one processor from the computer-readable storage medium, and when the computer program is executed by the at least one processor, the method for training a malicious request detection model and/or the method for identifying a malicious request may be implemented.

It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A training method of a malicious request detection model is characterized by comprising the following steps:

acquiring a malicious sample request and a non-malicious sample request;

2. The method of claim 1, wherein the request parameter comprises at least one of the following sub-parameters:

3. The method according to claim 1 or 2, wherein annotating request paths and request parameters in the malicious sample request to generate an annotated malicious sample request comprises:

4. A malicious request identification method, comprising:

acquiring a request to be identified;

inputting the request to be identified into a malicious request detection model, and obtaining a detection result, wherein the malicious request detection model is obtained by adopting the method as claimed in any one of claims 1 to 3, and the detection result is used for indicating whether the request to be identified is a malicious request.

5. The method of claim 4, further comprising:

6. The method according to claim 5, wherein the inputting the request to be identified into a malicious request detection model to obtain a detection result comprises:

if yes, judging the type of the request to be identified;

if the type of the request to be identified is the type of the GET request, inputting a request header of the request to be identified into the malicious request detection model, and obtaining the detection result;

and if the type of the request to be identified is the type of sending the POST request, inputting a request head and a request body of the request to be identified into the malicious request detection model, and acquiring the detection result.

7. An apparatus for training a malicious request detection model, comprising:

8. An apparatus for identifying malicious requests, comprising:

the acquisition module is used for acquiring a request to be identified;

an input module, configured to input the request to be identified into a malicious request detection model, and obtain a detection result, where the malicious request detection model is obtained by training according to the method of any one of claims 1 to 3, and the detection result is used to indicate whether the request to be identified is a malicious request.

9. An electronic device, comprising: a processor, a memory, and computer program instructions stored on the memory and executable on the processor, wherein the processor, when executing the computer program instructions, is configured to implement the method of any of claims 1 to 6.

10. A computer-readable storage medium having computer-executable instructions stored thereon, which when executed by a processor, are configured to implement the method of any one of claims 1 to 6.