Malicious webpage file identification method and device

Abstract

Embodiments of the invention provide a malicious webpage file identification method and device. The method comprises the steps of determining feature data of each dimension of a to-be-identified webpage file, wherein each dimension comprises a combined dimension and a single dimension, the combined dimension comprises a plurality of feature data, the single dimension is only one piece of feature data; for the combined dimension in each dimension, processing the plurality of feature data of the combined dimension through a first machine learning model to obtain fused feature data of the combined dimension; obtaining a preliminary identification result of whether the to-be-identified webpage file is a malicious webpage file or not through a rule engine; and processing the preliminary identification result, the fusion feature data of the combined dimension and the feature data of the single dimension through a second machine learning model to obtain a final result whether the to-be-identified webpage file is a malicious webpage file or not. By adopting the method, the accuracy of malicious webpage file identification is improved, and the security of a computer environment is greatly improved.

Description

technical field [0001] The present application relates to the technical field of network security, in particular to a method and device for identifying malicious webpage files. Background technique [0002] With the rapid development of communication networks, the Internet has spread rapidly. Until today, the Internet has had a close or even inseparable relationship with life. But then comes the cybersecurity problem that almost everyone faces. For example, there is a webpage script trojan (webshell), which is a command execution environment in the form of malicious webpage files such as asp, php, and jsp, and can be used as a webpage backdoor; This type of malicious webpage file will be mixed with normal webpage files in the website server directory, thereby destroying the normal operation of the computer or stealing privacy. Correspondingly, in order to protect the computer from being damaged by malicious webpage files, it is necessary to identify the malicious webpage f...

AI Technical Summary

Problems solved by technology

[0003] In the prior art, there are mainly two ways to identify malicious webpage files: one is to match keywords through regular matching to detect malicious webpage files; this method has a low false positive rate, but a false negative rate High; usually the false positive rate can be controlled within 1-3%, but the false negative rate can reach 20% or even more than 30%

Another way is to use machine learning algorithms, such as random forest (random forest, RF) or deep learning network algorithms to classify malicious web files; although the false negative rate of this method can be reduced to 10% However, the false positive rate is relatively high, about 5-10%; and since non-malicious webpage file samples account for the majority of the total samples in practical applications, a false positive rate of 5-10% will generate a large number of False positives bring difficulties to subsequent screening

Images