CN117857157A - Firewall threat detection method and system based on deep learning - Google Patents
Firewall threat detection method and system based on deep learning Download PDFInfo
- Publication number
- CN117857157A CN117857157A CN202311798962.1A CN202311798962A CN117857157A CN 117857157 A CN117857157 A CN 117857157A CN 202311798962 A CN202311798962 A CN 202311798962A CN 117857157 A CN117857157 A CN 117857157A
- Authority
- CN
- China
- Prior art keywords
- http request
- request information
- key information
- information
- firewall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 65
- 238000013135 deep learning Methods 0.000 title claims abstract description 23
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 49
- 230000007246 mechanism Effects 0.000 claims abstract description 44
- 230000002159 abnormal effect Effects 0.000 claims abstract description 26
- 238000012549 training Methods 0.000 claims abstract description 25
- 230000009193 crawling Effects 0.000 claims abstract description 15
- 238000007781 pre-processing Methods 0.000 claims abstract description 15
- 238000012545 processing Methods 0.000 claims description 50
- 238000000605 extraction Methods 0.000 claims description 26
- 238000012360 testing method Methods 0.000 claims description 24
- 238000004458 analytical method Methods 0.000 claims description 16
- 238000006243 chemical reaction Methods 0.000 claims description 15
- 238000010276 construction Methods 0.000 claims description 9
- 238000004088 simulation Methods 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 7
- 238000011156 evaluation Methods 0.000 claims description 6
- 238000002347 injection Methods 0.000 claims description 6
- 239000007924 injection Substances 0.000 claims description 6
- 238000000034 method Methods 0.000 abstract description 14
- 206010000117 Abnormal behaviour Diseases 0.000 abstract description 2
- 230000009286 beneficial effect Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 8
- 238000004422 calculation algorithm Methods 0.000 description 6
- 230000007123 defense Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000012706 support-vector machine Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000007619 statistical method Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000005856 abnormality Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
Abstract
The invention discloses a firewall threat detection method and a firewall threat detection system based on deep learning, wherein the method comprises the following steps: crawling http request information to obtain original http request information; preprocessing the original http request information to obtain preprocessed http request information; acquiring a bidirectional LSTM model injected with a self-attention mechanism; training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model. According to the technical scheme, deep features can be extracted, abstract information in request information can be learned, abnormal behaviors are recorded through the attention mechanism record, a more effective firewall threat detection model can be obtained, and the accuracy of web-end abnormal detection can be improved.
Description
Technical Field
The invention relates to the technical field of artificial intelligence, in particular to a firewall threat detection method and system based on deep learning.
Background
With the rapid development of computer and network technologies, modern information technology has played a vital role in human society, pushing the technological progress and civilization of society. At the same time, however, the openness and popularity of information networks has also presented a number of security challenges, including threats such as hacking, worm viruses, malicious code, and the like. To address these risks, the field of network security employs various defenses, where firewalls are a key technology. Firewalls act as the first line of defense in network security, aimed at monitoring, filtering, and controlling traffic in and out of the network to protect the network from potential threats.
The method carries out identity recognition by using Modbus protocol, adopts OPC protocol for data acquisition and transmission, adopts Linear Discriminant Analysis (LDA) technology for feature extraction and screening, trains by a Support Vector Machine (SVM) algorithm, and carries out detection by using leave one out detection method on an independent and same-distributed test set. The firewall combines protocol identification, dimension reduction processing and machine learning algorithms, but the algorithms perform feature statistical analysis on modeling data and the like, then establish a model to perform anomaly detection, and the firewall belongs to a shallow feature representation method and cannot accurately describe the relationship between features. Therefore, in order to solve the above problems, the embodiment of the invention discloses a firewall threat detection method and a firewall threat detection system based on deep learning.
Disclosure of Invention
Aiming at the problems shown in the prior art, the invention provides a firewall threat detection method and a firewall threat detection system based on deep learning, which are used for solving the problems that in the background art, modeling data and the like are subjected to feature statistical analysis, then a model is built for abnormality detection, a shallow feature representation method is adopted, and the relationship between features cannot be accurately described.
A firewall threat detection method based on deep learning comprises the following steps:
crawling http request information to obtain original http request information;
preprocessing the original http request information to obtain preprocessed http request information;
acquiring a bidirectional LSTM model injected with a self-attention mechanism;
training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
Preferably, crawling the http request information to obtain the original http request information, including:
determining an application target and a scene of firewall threat detection;
determining a data capturing tool and configuring the capturing tool to obtain a target capturing tool;
capturing normal http request information in a real network environment and/or a simulation environment through the target capturing tool based on the application target and the scene;
capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment through the target capturing tool based on the application target and the scenes;
and determining the normal http request information and the abnormal http request information as the original http request information.
Preferably, preprocessing the original http request information to obtain preprocessed http request information, including:
acquiring an http resolution tool, and resolving the original http request information through the http resolution tool to obtain an http resolution result;
extracting key information from the http analytic result to obtain original key information;
performing URL processing and text processing on the original key information to obtain key information after URL processing and text processing;
performing numerical conversion on the key information after URL processing and text processing to obtain key information after numerical conversion;
carrying out missing value processing on the key information after the numerical conversion to obtain key information after the missing value processing;
and normalizing the key information after the missing value processing to obtain normalized key information and determining the normalized key information as the preprocessed http request information.
Preferably, acquiring a bi-directional LSTM model of the injected self-attention mechanism includes:
selecting a target model construction tool, and introducing a library and a module of model construction on the target model construction tool;
determining input sequence information, and constructing a self-attention mechanism layer by setting different weights on the input sequence information based on the library and the module;
constructing an original bidirectional LSTM model according to the forward information and the reverse information of the input sequence information based on the library and the module;
and integrating the self-attention mechanism layer into the original bidirectional LSTM model to obtain the bidirectional LSTM model of the self-attention mechanism.
Preferably, training the bidirectional LSTM model of the self-attention injection mechanism based on the preprocessed http request information to obtain a firewall threat detection model, including:
determining a label corresponding to the preprocessed http request information, wherein the label comprises normal and abnormal;
dividing the preprocessed http request information into training set test sets according to the labels and a preset proportion;
defining a loss function and an optimizer;
training the bidirectional LSTM model of the self-attention injection mechanism through the training set based on the loss function and the optimizer to obtain a trained bidirectional LSTM model;
testing the trained bidirectional LSTM model through the test set to obtain a model evaluation index;
judging whether the model evaluation index meets the target requirement, if so, determining the trained bidirectional LSTM model as the firewall threat detection model, and if not, performing parameter tuning on the trained bidirectional LSTM model, and determining the model as the firewall threat detection model after parameter tuning is completed.
Preferably, extracting key information from the http resolution result to obtain original key information, including:
determining a key information extraction task, and defining key information meanings according to the extraction task;
writing extraction logic according to the key information meaning;
extracting a plurality of analysis results from the http analysis results, and testing the extraction logic through the plurality of analysis results to obtain test results;
when the accuracy of the test result reaches a preset standard, extracting key information from the http analytic result through the extraction logic to obtain the original key information;
acquiring the extraction time of the original key information, and storing the original key information according to the extraction time.
Preferably, capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment based on the application target and the scenes through the target capturing tool, including:
selecting a plurality of attack scenes according to the application targets and scenes, and performing simulation configuration on the plurality of attack scenes in the experimental environment;
selecting a target attack tool, and carrying out attack through the target attack tool based on the plurality of attack scenes;
starting a target capturing tool to capture data in the work of the target attack tool through the target capturing tool so as to obtain attack data;
and after reaching a preset stopping capturing standard, sorting and marking the attack data to obtain the abnormal http request information.
A deep learning based firewall threat detection system, the system comprising:
the crawling module is used for crawling the http request information to obtain the original http request information;
the preprocessing module is used for preprocessing the original http request information to obtain preprocessed http request information;
the acquisition module is used for acquiring a bidirectional LSTM model injected with a self-attention mechanism;
and the training module is used for training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
The crawling module is further used for determining application targets and scenes of firewall threat detection; determining a data capturing tool and configuring the capturing tool to obtain a target capturing tool; capturing normal http request information in a real network environment and/or a simulation environment through the target capturing tool based on the application target and the scene; capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment through the target capturing tool based on the application target and the scenes; and determining the normal http request information and the abnormal http request information as the original http request information.
The preprocessing module is further used for acquiring an http analysis tool, and analyzing the original http request information through the http analysis tool to obtain an http analysis result; extracting key information from the http analytic result to obtain original key information; performing URL processing and text processing on the original key information to obtain key information after URL processing and text processing; performing numerical conversion on the key information after URL processing and text processing to obtain key information after numerical conversion; carrying out missing value processing on the key information after the numerical conversion to obtain key information after the missing value processing; and normalizing the key information after the missing value processing to obtain normalized key information and determining the normalized key information as the preprocessed http request information.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
The technical scheme of the invention is further described in detail through the drawings and the embodiments.
Drawings
The accompanying drawings are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate the invention and together with the embodiments of the invention, serve to explain the invention.
FIG. 1 is a workflow diagram of a firewall threat detection method based on deep learning provided by the invention;
FIG. 2 is another workflow diagram of a firewall threat detection method based on deep learning provided by the present invention;
FIG. 3 is a further workflow diagram of a firewall threat detection method based on deep learning in accordance with the present invention;
fig. 4 is a schematic structural diagram of a firewall threat detection system based on deep learning according to the present invention.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
With the rapid development of computer and network technologies, modern information technology has played a vital role in human society, pushing the technological progress and civilization of society. At the same time, however, the openness and popularity of information networks has also presented a number of security challenges, including threats such as hacking, worm viruses, malicious code, and the like. To address these risks, the field of network security employs various defenses, where firewalls are a key technology. Firewalls act as the first line of defense in network security, aimed at monitoring, filtering, and controlling traffic in and out of the network to protect the network from potential threats.
The method carries out identity recognition by using Modbus protocol, adopts OPC protocol for data acquisition and transmission, adopts Linear Discriminant Analysis (LDA) technology for feature extraction and screening, trains by a Support Vector Machine (SVM) algorithm, and carries out detection by using leave one out detection method on an independent and same-distributed test set. The firewall combines protocol identification, dimension reduction processing and machine learning algorithms, but the algorithms perform feature statistical analysis on modeling data and the like, then establish a model to perform anomaly detection, and the firewall belongs to a shallow feature representation method and cannot accurately describe the relationship between features. Therefore, in order to solve the above problems, the embodiment of the invention discloses a firewall threat detection method and a firewall threat detection system based on deep learning.
A firewall threat detection method based on deep learning, as shown in figure 1, comprises the following steps:
step S101, crawling http request information to obtain original http request information;
step S102, preprocessing original http request information to obtain preprocessed http request information;
step S103, acquiring a bidirectional LSTM model injected with a self-attention mechanism;
and step S104, training a bidirectional LSTM model injected with a self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
In this embodiment, the original http request information includes normal http request information and abnormal http request information, where the http request information refers to information sent to a server through an http protocol to request a specific resource, and in an abnormal situation, it may threaten a firewall.
In this embodiment, the LSTM model refers to a long-short-term memory network model.
In this embodiment, the bidirectional LSTM model injected with the self-attention mechanism is trained, the preprocessed http request information is transferred to a plurality of hidden layers to learn abstract information in the request data packet, and attribute features having an important influence on malicious behavior prediction are recorded through the attention mechanism.
The working principle of the technical scheme is as follows: firstly, crawling http request information to obtain original http request information, then preprocessing the original http request information to obtain preprocessed http request information, further obtaining a bidirectional LSTM model injected with a self-attention mechanism, and finally training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
The beneficial effects of the technical scheme are as follows: training and learning are carried out on the preprocessed http request information through a bidirectional LSTM model injected with a self-attention mechanism, deep features can be extracted, abstract information in the request information can be learned, abnormal behaviors are recorded through attention mechanism recording, a more effective firewall threat detection model can be obtained, and the accuracy of web-end abnormality detection can be improved.
In one embodiment, as shown in fig. 2, crawling the http request information to obtain the original http request information includes:
step S201, determining an application target and a scene of firewall threat detection;
step S202, determining a data capturing tool and configuring the capturing tool to obtain a target capturing tool;
step S203, capturing normal http request information in a real network environment and/or a simulation environment through a target capturing tool based on an application target and a scene;
step S204, capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment based on an application target and the scenes through the target capturing tool;
step S205, determining normal http request information and abnormal http request information as original http request information.
In this embodiment, the application target and scenario may be network security, malicious script attack, anomaly detection, or other tasks related to http requests.
In this embodiment, the data capturing tool refers to a network packet capturing tool, such as Wireshark.
The beneficial effects of the technical scheme are as follows: by determining application targets and scenes of firewall threat detection, data can be acquired in a targeted manner, normal http request information and abnormal http request information can be acquired through a target acquisition tool, normal and abnormal data sets can be obtained completely, various risks met by the established abnormal model can be dealt with, and the model capacity is improved.
In one embodiment, preprocessing the original http request information to obtain preprocessed http request information, including:
acquiring an http resolution tool, and resolving the original http request information through the http resolution tool to obtain an http resolution result;
extracting key information from the http analytic result to obtain original key information;
performing URL processing and text processing on the original key information to obtain key information after URL processing and text processing;
performing numerical conversion on the key information after URL processing and text processing to obtain key information after numerical conversion;
carrying out missing value processing on the key information after the numerical conversion to obtain key information after the missing value processing;
and normalizing the key information after the missing value processing to obtain normalized key information and determining the normalized key information as the preprocessed http request information.
In this embodiment, the http parsing tool may be an http parsing library, such as http-parser, where the http parsing result obtained after parsing includes but is not limited to: request method, URL, request header, request body, etc.
In this embodiment, the original key information includes, but is not limited to: URL path and parameters, request method (GET, POST, etc.), request header information, request body content, source IP address, destination IP address, port number, etc.
The beneficial effects of the technical scheme are as follows: the original http request information is analyzed through the http analysis tool, an http analysis result can be completely and accurately obtained, key information is extracted, important information in the http request information can be extracted more simply, URL and text processing is carried out, the http request information can be converted into a form which is easy to understand by a model, missing value processing is carried out, the integrity of data can be ensured, and finally standardized processing is carried out, so that the data can be ensured to be on similar scales, and faster convergence of the model is facilitated.
In one embodiment, obtaining a bi-directional LSTM model of an injected self-attention mechanism includes:
selecting a target model construction tool, and introducing a library and a module of model construction on the target model construction tool;
determining input sequence information, and constructing a self-attention mechanism layer by setting different weights on the input sequence information based on the library and the module;
constructing an original bidirectional LSTM model according to the forward information and the reverse information of the input sequence information based on the library and the module;
and integrating the self-attention mechanism layer into the original bidirectional LSTM model to obtain the bidirectional LSTM model of the self-attention mechanism.
In this embodiment, the target build tool may be a pyrtorch, and the library and module may be a torch, torch.
In this embodiment, constructing the self-attention mechanism layer refers to assigning different weights to different parts of the input sequence, so that the self-attention mechanism layer can adapt to the importance of different positions in the input sequence by learning the weight of each position in the input sequence, for example, the input sequence respectively assigns weights of 4 to a request method, URL and request header in http information: 2:4, the importance of the different parts can be learned according to the weights.
In this embodiment, building an original bidirectional LSTM model according to forward information and reverse information of input sequence information refers to defining input and output of the model according to the input sequence information, for example, dimension of an input sequence, dimension of word embedding, and the like, outputting, for example, output dimension of two classification tasks is 1, then building an embedding layer of the model, then building a bidirectional LSTM layer, finally adding a full connection layer, and instantiating the model to obtain the original bidirectional LSTM model. The forward information and the reverse information refer to that the model has two parts of forward calculation and reverse calculation in the calculation process.
In this embodiment, the self-attention mechanism layer is integrated into the output sequence in the original bi-directional LSTM model. This helps the LSTM better capture global future relationships of the input sequence.
The beneficial effects of the technical scheme are as follows: by constructing a self-attention mechanism layer and integrating the self-attention mechanism layer into an original bidirectional LSTM model, the model can be allowed to better understand the relation between different positions in an input sequence, and the expression capacity of the model is improved.
In one embodiment, training the bidirectional LSTM model of the self-attention-injecting mechanism based on the preprocessed http request information to obtain a firewall threat detection model, including:
determining a label corresponding to the preprocessed http request information, wherein the label comprises normal and abnormal;
dividing the preprocessed http request information into training set test sets according to the labels and a preset proportion;
defining a loss function and an optimizer;
training the bidirectional LSTM model of the self-attention injection mechanism through the training set based on the loss function and the optimizer to obtain a trained bidirectional LSTM model;
testing the trained bidirectional LSTM model through the test set to obtain a model evaluation index;
judging whether the model evaluation index meets the target requirement, if so, determining the trained bidirectional LSTM model as the firewall threat detection model, and if not, performing parameter tuning on the trained bidirectional LSTM model, and determining the model as the firewall threat detection model after parameter tuning is completed.
In this embodiment, the ratio of the training set to the test set may be 8:2.
in this embodiment, the loss function may be cross entropy loss, the optimizer may Adam, SGD, etc.
In this embodiment, the target need may be that the ACC accuracy reaches a value of 93%.
The beneficial effects of the technical scheme are as follows: by dividing the data into a training set and a testing set to train and test the model, a firewall threat detection model meeting the requirements can be obtained.
In one embodiment, as shown in fig. 3, extracting key information from the http resolution result to obtain original key information includes:
step S301, determining a key information extraction task, and defining the meaning of the key information according to the extraction task;
step S302, writing extraction logic according to the meaning of the key information;
step S303, extracting a plurality of analysis results from the http analysis results, and testing the extraction logic through the plurality of results to obtain test results;
step S304, when the accuracy of the test result reaches a preset standard, extracting key information from the http analysis result through an extraction logic to obtain original key information;
step S305, obtaining the extraction time of the original key information, and storing the original key information according to the extraction time.
In this embodiment, the task of extracting key information refers to a task of extracting key information, such as extracting URL, parameters, request method, etc., and the definition of the key information refers to defining these key fields.
In this embodiment, the extraction logic is a logic method for extracting the key information.
In this embodiment, the preset standard may be ninety-five percent.
The beneficial effects of the technical scheme are as follows: the accuracy of the extraction logic can be ensured by judging the accuracy of the test result, so that the accuracy is ensured when the whole data is extracted in a concentrated mode, and then the data is stored according to the extraction time, so that the data storage has a more structure.
In one embodiment, capturing abnormal http request information in a plurality of attack scenarios simulated by an experimental environment based on the application targets and scenarios through the target capturing tool, including:
selecting a plurality of attack scenes according to the application targets and scenes, and performing simulation configuration on the plurality of attack scenes in the experimental environment;
selecting a target attack tool, and carrying out attack through the target attack tool based on the plurality of attack scenes;
starting a target capturing tool to capture data in the work of the target attack tool through the target capturing tool so as to obtain attack data;
and after reaching a preset stopping capturing standard, sorting and marking the attack data to obtain the abnormal http request information.
In this embodiment, the several attack scenarios may be an SQL injection scenario, a cross-site script scenario, and a malicious file upload scenario.
In this embodiment, the analog configuration refers to an application program or the like that configures the network to be set up vulnerable.
In this embodiment, the target attack tool may be sqlmap, metasploit or the like.
In this embodiment, the target capturing tool may be Wireshark, tcpdump or the like.
In this embodiment, the preset stop capture criteria refers to stopping capture of the target capture tool after simulation of all attack scenarios is completed.
The beneficial effects of the technical scheme are as follows: by simulating various attack scenes in an experimental environment and capturing abnormal http request information, the generalization capability of the model can be improved when the model is trained.
The invention also provides a firewall threat detection system based on deep learning, which comprises the following steps as shown in fig. 4:
the crawling module 401 is configured to crawl http request information to obtain original http request information;
a preprocessing module 402, configured to preprocess the original http request information, so as to obtain preprocessed http request information;
an acquisition module 403, configured to acquire a bidirectional LSTM model injected with a self-attention mechanism;
and a training module 404, configured to train the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information, to obtain a firewall threat detection model.
The working principle and the beneficial effects of the above technical solution are described in the method claims, and are not repeated here.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (10)
1. A firewall threat detection method based on deep learning is characterized by comprising the following steps:
crawling http request information to obtain original http request information;
preprocessing the original http request information to obtain preprocessed http request information;
acquiring a bidirectional LSTM model injected with a self-attention mechanism;
training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
2. The firewall threat detection method based on deep learning of claim 1, wherein crawling http request information to obtain original http request information comprises:
determining an application target and a scene of firewall threat detection;
determining a data capturing tool and configuring the capturing tool to obtain a target capturing tool;
capturing normal http request information in a real network environment and/or a simulation environment through the target capturing tool based on the application target and the scene;
capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment through the target capturing tool based on the application target and the scenes;
and determining the normal http request information and the abnormal http request information as the original http request information.
3. The firewall threat detection method based on deep learning of claim 1, wherein preprocessing the original http request information to obtain preprocessed http request information, comprises:
acquiring an http resolution tool, and resolving the original http request information through the http resolution tool to obtain an http resolution result;
extracting key information from the http analytic result to obtain original key information;
performing URL processing and text processing on the original key information to obtain key information after URL processing and text processing;
performing numerical conversion on the key information after URL processing and text processing to obtain key information after numerical conversion;
carrying out missing value processing on the key information after the numerical conversion to obtain key information after the missing value processing;
and normalizing the key information after the missing value processing to obtain normalized key information and determining the normalized key information as the preprocessed http request information.
4. The deep learning based firewall threat detection method of claim 1, wherein obtaining a bi-directional LSTM model of an injected self-attention mechanism comprises:
selecting a target model construction tool, and introducing a library and a module of model construction on the target model construction tool;
determining input sequence information, and constructing a self-attention mechanism layer by setting different weights on the input sequence information based on the library and the module;
constructing an original bidirectional LSTM model according to the forward information and the reverse information of the input sequence information based on the library and the module;
and integrating the self-attention mechanism layer into the original bidirectional LSTM model to obtain the bidirectional LSTM model of the self-attention mechanism.
5. The deep learning-based firewall threat detection method of claim 1, wherein training the bidirectional LSTM model of the self-attention-injection mechanism based on the preprocessed http request information to obtain a firewall threat detection model comprises:
determining a label corresponding to the preprocessed http request information, wherein the label comprises normal and abnormal;
dividing the preprocessed http request information into training set test sets according to the labels and a preset proportion;
defining a loss function and an optimizer;
training the bidirectional LSTM model of the self-attention injection mechanism through the training set based on the loss function and the optimizer to obtain a trained bidirectional LSTM model;
testing the trained bidirectional LSTM model through the test set to obtain a model evaluation index;
judging whether the model evaluation index meets the target requirement, if so, determining the trained bidirectional LSTM model as the firewall threat detection model, and if not, performing parameter tuning on the trained bidirectional LSTM model, and determining the model as the firewall threat detection model after parameter tuning is completed.
6. The firewall threat detection method based on deep learning of claim 3, wherein extracting key information from the http resolution result to obtain original key information comprises:
determining a key information extraction task, and defining key information meanings according to the extraction task;
writing extraction logic according to the key information meaning;
extracting a plurality of analysis results from the http analysis results, and testing the extraction logic through the plurality of analysis results to obtain test results;
when the accuracy of the test result reaches a preset standard, extracting key information from the http analytic result through the extraction logic to obtain the original key information;
acquiring the extraction time of the original key information, and storing the original key information according to the extraction time.
7. The deep learning-based firewall threat detection method of claim 2, wherein capturing abnormal http request information in a plurality of attack scenarios simulated in an experimental environment based on the application target and scenario through the target capturing tool, comprises:
selecting a plurality of attack scenes according to the application targets and scenes, and performing simulation configuration on the plurality of attack scenes in the experimental environment;
selecting a target attack tool, and carrying out attack through the target attack tool based on the plurality of attack scenes;
starting a target capturing tool to capture data in the work of the target attack tool through the target capturing tool so as to obtain attack data;
and after reaching a preset stopping capturing standard, sorting and marking the attack data to obtain the abnormal http request information.
8. A deep learning-based firewall threat detection system, the system comprising:
the crawling module is used for crawling the http request information to obtain the original http request information;
the preprocessing module is used for preprocessing the original http request information to obtain preprocessed http request information;
the acquisition module is used for acquiring a bidirectional LSTM model injected with a self-attention mechanism;
and the training module is used for training the bidirectional LSTM model injected with the self-attention mechanism based on the preprocessed http request information to obtain a firewall threat detection model.
9. The firewall threat detection system of claim 8, wherein,
the crawling module is also used for determining application targets and scenes of firewall threat detection; determining a data capturing tool and configuring the capturing tool to obtain a target capturing tool; capturing normal http request information in a real network environment and/or a simulation environment through the target capturing tool based on the application target and the scene; capturing abnormal http request information in a plurality of attack scenes simulated by an experimental environment through the target capturing tool based on the application target and the scenes; and determining the normal http request information and the abnormal http request information as the original http request information.
10. The firewall threat detection system of claim 8, wherein the preprocessing module is further configured to obtain an http resolution tool, and parse the original http request information through the http resolution tool to obtain an http resolution result; extracting key information from the http analytic result to obtain original key information; performing URL processing and text processing on the original key information to obtain key information after URL processing and text processing; performing numerical conversion on the key information after URL processing and text processing to obtain key information after numerical conversion; carrying out missing value processing on the key information after the numerical conversion to obtain key information after the missing value processing; and normalizing the key information after the missing value processing to obtain normalized key information and determining the normalized key information as the preprocessed http request information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311798962.1A CN117857157A (en) | 2023-12-25 | 2023-12-25 | Firewall threat detection method and system based on deep learning |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311798962.1A CN117857157A (en) | 2023-12-25 | 2023-12-25 | Firewall threat detection method and system based on deep learning |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117857157A true CN117857157A (en) | 2024-04-09 |
Family
ID=90533835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311798962.1A Pending CN117857157A (en) | 2023-12-25 | 2023-12-25 | Firewall threat detection method and system based on deep learning |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117857157A (en) |
-
2023
- 2023-12-25 CN CN202311798962.1A patent/CN117857157A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109816397B (en) | Fraud discrimination method, device and storage medium | |
| Li et al. | Deeppayload: Black-box backdoor attack on deep learning models through neural payload injection | |
| CN110233849B (en) | Method and system for analyzing network security situation | |
| CN112738126B (en) | Attack tracing method based on threat intelligence and ATT & CK | |
| CN106357618B (en) | Web anomaly detection method and device | |
| CN108347430A (en) | Network invasion monitoring based on deep learning and vulnerability scanning method and device | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| US11601462B2 (en) | Systems and methods of intelligent and directed dynamic application security testing | |
| CN111783442A (en) | Intrusion detection method, device, server and storage medium | |
| Iqbal et al. | Advancing automation in digital forensic investigations using machine learning forensics | |
| CN110958263B (en) | Network attack detection method, device, equipment and storage medium | |
| CN112380922B (en) | Method, device, computer equipment and storage medium for determining multiple video frames | |
| CN112468347A (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
| CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
| CN115080756A (en) | Attack and defense behavior and space-time information extraction method oriented to threat information map | |
| CN114422271B (en) | Data processing method, device, equipment and readable storage medium | |
| Daubner et al. | Towards verifiable evidence generation in forensic-ready systems | |
| TW202240453A (en) | Method and computer for learning corredpondence between malicious behaviors and execution trace of malware and method for implementing neural network | |
| CN112925805A (en) | Big data intelligent analysis application method based on network security | |
| CN115600218B (en) | Industrial control program risk detection method and system | |
| CN117857157A (en) | Firewall threat detection method and system based on deep learning | |
| CN115766090A (en) | Multi-feature fusion neural network security detection method | |
| CN111476086B (en) | Method, device, computer device and readable storage medium for identifying smoke and fire | |
| Shakya et al. | Intrusion detection system using back propagation algorithm and compare its performance with self organizing map | |
| Liang et al. | Soft multimedia anomaly detection based on neural network and optimization driven support vector machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |