Vulnerability detection method, device, equipment, storage medium and program product
By training models to detect server requests and application code, and combining this with simulated attack tests, the problem of existing technologies being unable to detect novel SSRF vulnerabilities has been solved. This enables accurate identification and defense against SSRF vulnerabilities, improving system security and detection efficiency.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA CONSTRUCTION BANK
- Filing Date
- 2023-03-13
- Publication Date
- 2026-06-09
Smart Images

Figure CN116305157B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of vulnerability detection technology, and in particular to a vulnerability detection method, apparatus, device, storage medium, and program product. Background Technology
[0002] With the rapid development of the internet industry, cybersecurity risks have increased dramatically, and vulnerabilities have become a major factor affecting software security. Server-Side Request Forgery (SSRF) is a security vulnerability where an attacker constructs a request that is then initiated by the server. Servers vulnerable to SSRF are often used as jump servers to obtain access information from other application servers on the external or internal networks, seriously threatening user information security. Therefore, how to detect SSRF vulnerabilities is an urgent problem to be solved.
[0003] Currently, SSRF vulnerability detection primarily involves collecting network requests initiated by the server, replacing the target address in those requests with a test address (the address of the internal network vulnerability testing platform). Further, this replaced network request is sent to the target application corresponding to that request. If the network vulnerability testing platform receives the replaced network request, it indicates that the target application has an SSRF vulnerability.
[0004] However, existing technologies can only detect known SSRF vulnerabilities and cannot detect new SSRF vulnerabilities. Summary of the Invention
[0005] This application provides a vulnerability detection method, apparatus, device, storage medium, and program product to solve the problem that existing technologies cannot detect novel SSRF vulnerabilities.
[0006] In a first aspect, embodiments of this application provide a vulnerability detection method, including:
[0007] Identify server requests from the traffic of the target application;
[0008] The server request is input into the first model, and the first result output by the first model is obtained. The first model is a model pre-trained by multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has an SSRF vulnerability, and the first result is used to indicate whether the server request has an SSRF attack behavior.
[0009] If the first result indicates that the server request contains an SSRF attack, then obtain the code of the target application;
[0010] The code of the target application is input into the second model, and the second result output by the second model is obtained. The second model is a model pre-trained with multiple application code samples and a second label for each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the code of the target application has an SSRF vulnerability.
[0011] Based on the second result, a vulnerability detection result is generated, which is used to indicate whether the target application has an SSRF vulnerability.
[0012] In one possible design of the first aspect, generating the vulnerability detection result based on the second result includes:
[0013] If the second result indicates that the code of the target application has an SSRF vulnerability, then the server request is subjected to an SSRF vulnerability simulation attack test to obtain the vulnerability detection result.
[0014] Optionally, the SSRF vulnerability simulation attack test includes:
[0015] The server requests an attack on the target machine on the internal network.
[0016] Accordingly, the vulnerability detection results include:
[0017] If the attack is successful, the vulnerability detection result is the third result, which indicates that the target application has an SSRF vulnerability.
[0018] Conversely, the vulnerability detection result is the fourth result, which indicates that the target application does not have an SSRF vulnerability.
[0019] In another possible design of the first aspect, after inputting the server request into the first model and obtaining the first result output by the first model, the method further includes:
[0020] If the first result indicates that the server request is subject to an SSRF attack, then the server request is stored in the database.
[0021] In another possible design of the first aspect, before determining the server request from the traffic of the target application, the method further includes:
[0022] Obtain a first training set, which includes multiple network request samples and a first label for each network request sample;
[0023] The model is trained based on the first training set to obtain the first model.
[0024] Optionally, the first model is a random forest model.
[0025] In another possible design of the first aspect, before determining the server request from the traffic of the target application, the method further includes:
[0026] Obtain a second training set, which includes multiple application code samples and a second label for each application code sample;
[0027] The model is trained based on the second training set to obtain the second model.
[0028] Optionally, the second model is a Naive Bayes classification model.
[0029] Secondly, embodiments of this application provide a vulnerability detection device, comprising:
[0030] The determination module is used to identify server requests from the traffic of the target application;
[0031] The input module is used to input the server request into the first model and obtain the first result output by the first model. The first model is a model pre-trained using multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has an SSRF vulnerability, and the first result is used to indicate whether the server request has an SSRF attack behavior.
[0032] The acquisition module is used to acquire the code of the target application if the first result indicates that the server request contains an SSRF attack.
[0033] The input module is further configured to input the code of the target application into the second model and obtain the second result output by the second model. The second model is a model pre-trained using multiple application code samples and a second label for each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the code of the target application has an SSRF vulnerability.
[0034] The generation module is used to generate a vulnerability detection result based on the second result, wherein the vulnerability detection result is used to indicate whether the target application has an SSRF vulnerability.
[0035] In one possible design of the second aspect, the generation module is specifically used for:
[0036] The testing module is used to perform an SSRF vulnerability simulation attack test on the server request if the second result indicates that the code of the target application has an SSRF vulnerability, and to obtain the vulnerability detection result.
[0037] Optionally, the SSRF vulnerability simulation attack test includes:
[0038] The server requests an attack on the target machine on the internal network.
[0039] Accordingly, the vulnerability detection results include:
[0040] If the attack is successful, the vulnerability detection result is the third result, which indicates that the target application has an SSRF vulnerability.
[0041] Conversely, the vulnerability detection result is the fourth result, which indicates that the target application does not have an SSRF vulnerability.
[0042] In another possible design of the second aspect, after inputting the server request into the first model and obtaining the first result output by the first model, the apparatus further includes:
[0043] The storage module is used to store the server request in the database if the first result indicates that the server request is subject to an SSRF attack.
[0044] In another possible design of the second aspect, before determining the server request from the traffic of the target application, the acquisition module is further configured to acquire a first training set, the first training set including multiple network request samples and a first label for each network request sample.
[0045] The acquisition module is further configured to train the model based on the first training set to acquire the first model.
[0046] Optionally, the first model is a random forest model.
[0047] In another possible design of the second aspect, before determining the server request from the traffic of the target application, the acquisition module is further configured to acquire a second training set, the second training set including multiple application code samples and a second label for each application code sample;
[0048] The acquisition module is further configured to train the model based on the second training set to acquire the second model.
[0049] Optionally, the second model is a Naive Bayes classification model.
[0050] Thirdly, embodiments of this application provide an electronic device, including: a processor, a memory, and computer program instructions stored in the memory and executable on the processor, wherein the processor executes the computer program instructions to implement the methods provided in the first aspect and various possible designs.
[0051] Fourthly, embodiments of this application may provide a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, are used to implement the methods provided in the first aspect and various possible designs.
[0052] Fifthly, embodiments of this application provide a computer program product, including a computer program, which, when executed by a processor, is used to implement the methods provided in the first aspect and various possible designs.
[0053] The vulnerability detection method, apparatus, device, storage medium, and program product provided in this application embodiment, in this method, server requests are determined from the traffic of a target application, the server requests are input into a first model, and a first result is obtained from the output of the first model; if the first result indicates that the server request contains SSRF attack behavior, the code of the target application is obtained, and the code of the target application is input into a second model, a second result is obtained from the output of the second model, and a vulnerability detection result is generated based on the second result. In this technical solution, the first model and the second model are models pre-trained with a large number of training samples, which have the ability to identify new SSRF attack behaviors, effectively detect new SSRF vulnerabilities and SSRF vulnerabilities that can bypass mainstream security protection devices, and greatly improve the security of the system. Attached Figure Description
[0054] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this application and, together with the description, serve to explain the principles of this application.
[0055] Figure 1 A schematic diagram of the architecture of an electronic device provided in an embodiment of this application;
[0056] Figure 2 A flowchart illustrating an embodiment of the vulnerability detection method provided in this application;
[0057] Figure 3 A flowchart illustrating Embodiment 2 of the vulnerability detection method provided in this application;
[0058] Figure 4 A flowchart illustrating Embodiment 3 of the vulnerability detection method provided in this application;
[0059] Figure 5 A flowchart illustrating Embodiment 4 of the vulnerability detection method provided in this application;
[0060] Figure 6 This is a schematic diagram of the structure of the vulnerability detection device provided in the embodiments of this application;
[0061] Figure 7 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.
[0062] The accompanying drawings illustrate specific embodiments of this application, which will be described in more detail below. These drawings and descriptions are not intended to limit the scope of the concept in any way, but rather to illustrate the concept of this application to those skilled in the art through reference to particular embodiments. Detailed Implementation
[0063] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0064] Before introducing the embodiments of this application, the terms used in the embodiments of this application will be explained first:
[0065] Machine learning algorithms: Machine learning algorithms are a class of algorithms that automatically analyze data to obtain patterns (models) and use these patterns to predict unknown data. Computer systems use these algorithms and models to perform tasks based on existing patterns and reasoning without explicit instructions. Computer systems use machine learning algorithms to process large amounts of historical data and identify data patterns, which allows the computer system to predict results more accurately based on a given input dataset.
[0066] Random Forest (RF): Random forest essentially belongs to a major branch of machine learning—ensemble learning. It's a method that integrates many decision trees into a forest to predict the final result. In the 1980s, Breiman et al. invented the classification tree algorithm, which significantly reduced computational cost by repeatedly binary-splitting data for classification or regression. In 2001, Breiman combined classification trees into random forest, randomizing the use of variables (columns) and data (rows) to generate many classification trees, and then summing the results. Random forest improves prediction accuracy without significantly increasing computational cost. Random forest is insensitive to multicollinearity, robust to missing and imbalanced data, and can effectively predict the effects of up to thousands of explanatory variables, making it one of the best algorithms currently available. As the name suggests, random forest uses random methods to build a forest composed of many decision trees, and each decision tree in a random forest is independent of the others. After obtaining the forest, when a new input sample arrives, each decision tree in the forest makes a judgment to determine which class the sample should belong to (for classification algorithms). Then, the class most frequently selected is used to predict the class of the sample. Random forests can handle both discrete and continuous attributes. Furthermore, random forests can be used for unsupervised learning clustering and outlier detection.
[0067] Naive Bayes Classifier (NBC) is a very simple classification algorithm. Its core idea is that, given an item to be classified, it calculates the probability of each category occurring given that the item is present. The category with the highest conditional probability is the category to which the item belongs. In simpler terms, without other available information, NBC will choose the category with the highest conditional probability; this is the fundamental idea behind Naive Bayes.
[0068] SSRF vulnerability: This is a security vulnerability created by an attacker who initiates a request from the server. Typically, SSRF attacks target internal systems inaccessible from the external network. The vulnerability arises because the server-side interface includes the Uniform Resource Locator (URL) parameter for the requested content, and fails to filter the URL parameter transmitted by the client. This allows attackers to pass in arbitrary addresses, causing the backend server to make a request and return the requested data to that target address. Therefore, servers vulnerable to SSRF are often used as jump servers to obtain access information from other application servers on the external or internal networks.
[0069] Next, the application background of this application will be explained:
[0070] With the rapid development of the internet industry, cybersecurity risks have increased dramatically. Cybersecurity has become a major strategic issue concerning people's work and lives, and one of the most complex, realistic, and severe non-traditional security problems. According to data from the China Internet Emergency Response Technical Team / Coordination Center (CIRC) in 2020, approximately 5.31 million hosts in China were maliciously controlled. Given this serious situation, it requires strong attention.
[0071] Currently, common hacker attack methods include Structured Query Language (SQL) injection, Cross-Site Scripting (XSS) attacks, weak passwords, and publicly disclosed command execution vulnerabilities. While there are robust defenses against these attacks, such as pre-compilation techniques for SQL injection, enabling firewalls, and Web Application Firewalls (WAFs), these methods underestimate the power of SSRF vulnerabilities. SSRF vulnerabilities can redirect malicious requests behind firewalls, bypassing container sandbox protection and directly reaching the internal network. Intranets are much more vulnerable than the internet, with numerous vulnerabilities. For example, if an unauthorized remote dictionary server (Redis) exists on the intranet, system privileges can be directly obtained by writing scheduled tasks to Redis. Alternatively, if other open-source components have vulnerabilities, proof of concept (PoC) can be directly constructed to provide evidence for a claim, SSRF vulnerabilities can be used to directly obtain privileges on the target host, and cloud services can be directly threatened, such as by controlling application programming interfaces (APIs) to gain access to cloud services.
[0072] In summary, SSRF vulnerabilities have become a new type of hacking tactic that allows attackers to quickly bypass server and container sandbox protections to collect internal network information, move laterally, and execute remote code. Therefore, how to detect SSRF vulnerabilities and defend against them in a timely manner is an urgent problem to be solved.
[0073] Currently, SSRF vulnerability detection mainly involves collecting server request traffic and then testing that server request traffic on an intranet network vulnerability testing platform. If the network vulnerability testing platform detects the server request traffic, it is determined that the server request traffic is subject to an SSRF attack.
[0074] However, SSRF attacks are constantly evolving, and SSRF attack requests are continuously being updated. Existing network vulnerability testing platforms can only detect known SSRF vulnerabilities and cannot detect new ones. Furthermore, some SSRF vulnerabilities can bypass mainstream security protection devices to achieve internal network attacks, seriously impacting user information security.
[0075] Based on the above-mentioned technical problems, the technical concept of this application is as follows:
[0076] The main reason why existing technologies can only detect known SSRF vulnerabilities is that network vulnerability testing platforms are slow to update and cannot keep pace with SSRF vulnerability attack requests. Since machine learning models have self-learning capabilities, if a model can be pre-trained to replace the network vulnerability testing platform, this model can be used for vulnerability detection, thereby accurately identifying new SSRF vulnerabilities, improving the accuracy of vulnerability identification, and ensuring user information security.
[0077] For example, the vulnerability detection method provided in this application embodiment can be applied to Figure 1 The schematic diagram of the electronic device shown is illustrated. Figure 1 This is a schematic diagram of the architecture of an electronic device provided in an embodiment of this application. Figure 1 As shown, the electronic device 100 includes an SSRF vulnerability attack traffic detection engine 101, an SSRF vulnerability code defect detection engine 102, an SSRF simulated attack testing engine 103, and an SSRF attack traffic database 104. The SSRF vulnerability attack traffic detection engine 101 deploys a first model, and the SSRF vulnerability code defect detection engine 102 deploys a second model.
[0078] In this embodiment, the server request of the target application can be input to the SSRF vulnerability attack traffic detection engine 101 to initially determine whether the server request contains SSRF attack behavior. If so, the server request is stored in the SSRF attack traffic database 104, and the code of the target application is input to the SSRF vulnerability code defect detection engine 102 to further determine whether the code of the target application contains SSRF vulnerability defects at the code level. If so, the server request stored in the SSRF attack traffic database 104 is input to the SSRF simulation attack testing engine 103 to perform SSRF vulnerability simulation attack testing, thereby obtaining the final vulnerability detection result.
[0079] It is understood that the executing entity in this embodiment can be a terminal device, such as a computer or desktop computer, or a server, such as a background processing platform. Therefore, this embodiment uses the term "electronic device" to refer to both terminal devices and servers for explanation and description. Whether the electronic device is specifically a terminal device or a server can be determined based on the actual situation.
[0080] The technical solution of this application will now be described in detail through specific embodiments.
[0081] It should be noted that the following specific embodiments can be combined with each other, and the same or similar concepts or processes may not be described again in some embodiments.
[0082] Figure 2 This is a flowchart illustrating an embodiment of the vulnerability detection method provided in this application. Figure 2 As shown, the vulnerability detection method may include the following steps:
[0083] S201. Identify server requests from the traffic of the target application.
[0084] In this embodiment, the executing entity of this application is a server that has deployed the target application, or an electronic device that is connected to the server via wired or wireless means, and the electronic device is able to obtain the traffic and code of the target application.
[0085] In this step, since SSRF vulnerabilities are security vulnerabilities that are created by attackers and initiated by the server, meaning that SSRF vulnerabilities only exist in server-side requests, it is necessary to identify server-side requests from the target application's traffic when detecting SSRF vulnerabilities. This avoids redundant vulnerability detection on non-server-side requests and improves vulnerability detection efficiency.
[0086] It should be understood that a server-side request refers to a request initiated by the server; that is, the server is the initiator of the request.
[0087] Optionally, the server request may include a GET or POST request in the Hypertext Transfer Protocol (HTTP) protocol used to retrieve the requested resource. The GET or POST request may contain fields indicating resource request information, such as a HOST field indicating the host or port number of the requested resource, a User-Agent field indicating the initiating party, a Referer field indicating the source of the request, etc. It should be noted that the server request may also contain other content, which can be determined according to the actual situation; this application does not specifically limit the content included in the server request.
[0088] S202. Input the server request into the first model and obtain the first result output by the first model.
[0089] In this step, because the application has an SSRF vulnerability, its server requests in the traffic will contain SSRF attack behavior. Therefore, after obtaining the server requests, they need to be detected using the first model to determine whether they contain SSRF attack behavior.
[0090] The first model is a model pre-trained using multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has a server-side request forgery (SSRF) vulnerability, and the first result is used to indicate whether the server-side request has SSRF attack behavior.
[0091] Optional, refer to Figure 1 The first model can be deployed in an SSRF vulnerability attack traffic detection engine. After receiving a server request, the electronic device inputs the server request into the first model in the SSRF vulnerability attack traffic detection engine, thereby obtaining the first result output by the first model through the SSRF vulnerability attack traffic detection engine.
[0092] Optionally, the first model can be pre-trained by the execution subject of this application (i.e., electronic device) or obtained by the execution subject of this application from other storage devices. This application does not impose specific restrictions on the method of obtaining the first model.
[0093] It should be understood that the specific training process of the first model will be... Figure 3 The embodiments shown are described in detail, and will not be repeated here.
[0094] S203. If the first result indicates that the server request has an SSRF vulnerability, then obtain the code of the target application.
[0095] In this step, when the first result indicates that the server request has an SSRF vulnerability, in order to avoid the first result being a false alarm caused by environmental factors, it is also necessary to check whether the target application has a real SSRF vulnerability at the code level. Before that, it is necessary to obtain the code of the target application.
[0096] It should be understood that the code of the target application is the source file written by the programmer in a language supported by the development tools. It is a set of explicit rules that represent information in discrete form using characters, symbols, or signal elements, and is used to implement the functions and business of the target application.
[0097] S204. Input the code of the target application into the second model and obtain the second result output by the second model.
[0098] In this step, after obtaining the target application's code, it is necessary to perform vulnerability detection on it using a second model to determine whether it contains incomplete code with SSRF vulnerabilities.
[0099] The second model is a model pre-trained using multiple application code samples and a second label for each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the target application's code has an SSRF vulnerability.
[0100] Optional, refer to Figure 1 The second model can be deployed in the SSRF vulnerability code defect detection engine. After receiving a server request, the electronic device inputs the server request into the second model in the SSRF vulnerability code defect detection engine, thereby obtaining the second result output by the first model through the SSRF vulnerability code defect detection engine.
[0101] It should be understood that, similar to the first model, the second model can be pre-trained by the subject of this application or obtained by the subject of this application from other storage devices. This application does not impose specific restrictions on the method of obtaining the second model.
[0102] It should be understood that the specific training process of the second model will be discussed later. Figure 4 The embodiments shown are described in detail, and will not be repeated here.
[0103] S205. Based on the second result, generate the vulnerability detection result.
[0104] In this step, after obtaining the second result, vulnerability detection results can be generated directly based on the second result. Alternatively, when the second result indicates that the target application's code has an SSRF vulnerability, an SSRF vulnerability simulation attack test can be performed on the server request to further verify whether the target application has an SSRF vulnerability and improve the accuracy of SSRF vulnerability detection.
[0105] The vulnerability detection results are used to indicate whether the server request contains an SSRF vulnerability.
[0106] In one possible implementation, a vulnerability detection result can be generated directly based on the second result. For example, if the second result indicates that the target application's code has an SSRF vulnerability, then a vulnerability detection result indicating the presence of an SSRF vulnerability in the target application is generated; if the second result indicates that the target application's code does not have an SSRF vulnerability, then a vulnerability detection result indicating the absence of an SSRF vulnerability in the target application is generated.
[0107] In another possible implementation, if the second result indicates that the target application's code has an SSRF vulnerability, then the server request is subjected to an SSRF vulnerability simulation attack test to obtain the vulnerability detection result.
[0108] In this possible implementation, SSRF vulnerability simulation attack testing includes: attacking an internal network target machine via a server-side request.
[0109] Furthermore, if the attack is successful, the vulnerability detection result is the third result, indicating that the target application has an SSRF vulnerability. Conversely, if the attack fails, the vulnerability detection result is the fourth result, indicating that the target application does not have an SSRF vulnerability.
[0110] It should be understood that if the target machine on the internal network receives a request from the server, the attack is successful; conversely, if the target machine on the internal network does not receive a request from the server, the attack fails.
[0111] In this implementation, after determining that the target application has an SSRF vulnerability through the first and second models, it is further verified to ensure the accuracy of the vulnerability detection results and avoid false alarms caused by other factors.
[0112] The vulnerability detection method provided in this application determines server requests from the traffic of a target application, inputs the server requests into a first model, and obtains a first result output by the first model. If the first result indicates that the server request contains SSRF attack behavior, the code of the target application is obtained and input into a second model to obtain a second result output by the second model. Based on the second result, a vulnerability detection result is generated. In this technical solution, the first and second models are models pre-trained with a large number of training samples, which have the ability to identify new SSRF attack behaviors and can effectively detect new SSRF vulnerabilities as well as SSRF vulnerabilities that can bypass mainstream security protection devices, greatly improving the security of the system. At the same time, the first model performs black-box detection of whether the server request contains SSRF attack behavior, and if so, the second model performs white-box detection of whether the target application code contains SSRF vulnerabilities, avoiding false alarms caused by environmental factors or other factors, and improving detection efficiency and accuracy.
[0113] Optionally, in some embodiments, after inputting a server request into a first model and obtaining the first result output by the first model, if the first result indicates that the server request exhibits SSRF attack behavior, then the server request is stored in a database. This way, storing multiple server requests in the database allows for batch testing of server requests requiring SSRF vulnerability simulation attacks, improving testing efficiency. Furthermore, storing server requests exhibiting SSRF attack behavior in a database avoids accidentally running such requests or preventing subsequent retrieval of the server request due to other operations.
[0114] It should be understood that the above embodiments specifically illustrate the process of performing vulnerability detection on a target application using the first model and the second model. Prior to this, the electronic device may also perform model training to obtain the aforementioned first model and second model.
[0115] The training processes of the first and second models will be explained in detail below.
[0116] First Model
[0117] Figure 3 This is a flowchart illustrating a second embodiment of the vulnerability detection method provided in this application. Figure 3 As shown, the vulnerability detection method may include the following steps:
[0118] S301. Obtain the first training set.
[0119] In this step, the first training set includes multiple network request samples and a first label for each network request sample.
[0120] Optionally, the network request samples mentioned above include SSRF attack network request samples as well as normal network request samples.
[0121] In one possible implementation, initial SSRF attack network request samples can be collected using the experience of cybersecurity experts and web crawlers, while initial normal network request samples can be obtained through web crawling and packet capture of normal access traffic. Then, the initial SSRF attack network request samples and the initial normal network request samples are preprocessed to filter out redundant data, thus obtaining the SSRF attack network request samples and the normal network request samples.
[0122] Optionally, the preprocessing can be data cleaning and default values, which can be implemented using a Python script. It should be understood that the preprocessing may also include other processing types, which can be determined according to the actual situation; this application embodiment does not impose specific limitations on this.
[0123] Optionally, the network request sample may include at least one of the following features: URL pseudo-protocol, request Internet Protocol (IP), special characters, port, keywords, and malicious attack payload.
[0124] For example, the above features are described in detail in Table 1 below.
[0125] Table 1
[0126]
[0127] It should be understood that Table 1 only shows a partial description and partial representation of the features. In actual applications, other descriptions and representations may also be included, and the embodiments of this application do not specifically limit them.
[0128] S302. Train the model based on the first training set to obtain the first model.
[0129] In this step, after obtaining the first training set, the first training set can be input into the initial first model for model training until the initial first model converges, thereby obtaining the first model.
[0130] Optionally, the first model is the Random Forest model. The Random Forest model is an optimized version of the Bootstrap aggregating (Bagging) algorithm based on a tree model. It combines multiple weak classifiers and uses voting to obtain the final result. In Random Forest, "randomness" makes it resistant to overfitting, and "forest" makes it more accurate. It uses CART decision trees as base learners. The selection of CART decision trees is achieved by choosing the optimal feature through the Gini index, which also determines the optimal binary split point of that optimal feature. For example, assuming there are K classes, the probability that a sample point belongs to the k-th class is... The Gini index of the probability distribution can be calculated and determined using the following formula:
[0131]
[0132] In one possible implementation, the Gini index of each network request sample in the first training set can be calculated using the formula described above. Based on a Gini index of 0.5, the network request samples in the first training set are divided into two categories: normal and malicious. During training, for each node, the Gini index is calculated iteratively for different features in the dataset corresponding to that node. The feature with the minimum Gini index and its corresponding split point are obtained as the optimal feature and optimal binary split point. Based on this optimal feature and optimal binary split point, the node is split into two child nodes, and the dataset corresponding to that node is allocated to each child node according to the optimal feature. It should be understood that the dataset of this node is the network request samples in the corresponding first training set. Further, the above steps are recursively called until a threshold is reached, i.e., a CART classification decision tree is generated. Using the CART classification decision tree as a base learner, the first model can be generated.
[0133] Alternatively, the optimal feature can be calculated using the following formula:
[0134]
[0135] For example, setting the URL pseudo-protocol to A and the request IP to B, calculate... and Value, if Therefore, the URL pseudo-protocol feature can be used as the optimal feature.
[0136] Second Model
[0137] Figure 4 This is a flowchart illustrating Embodiment 3 of the vulnerability detection method provided in this application. Figure 4 As shown, the vulnerability detection method may include the following steps:
[0138] S401. Obtain the second training set.
[0139] In this step, the second training set includes multiple application code samples and a second label for each application code sample.
[0140] In one possible implementation, the application code samples include SSRF vulnerability-deficient application code samples and normal application code samples. These samples can be obtained from publicly available SSRF vulnerability code on the internet, as well as from the experience of security experts.
[0141] Optionally, the SSRF vulnerability-infected application code sample may include at least one of the following: file_get_contents, sockopen(), curl_exec(), ImageIO, HttpURLConnection; the normal application code sample may include at least one of the following: String, new, isset, function.
[0142] S402. Train the model based on the second training set to obtain the second model.
[0143] In this step, after obtaining the second training set, the second training set can be input into the initial second model for model training until the model converges, thereby obtaining the second model.
[0144] Optionally, the second model is a Naive Bayes classification model.
[0145] There is no existing method for detecting SSRF vulnerabilities using machine learning. In the above embodiment, by training models on the first training set and the second training set respectively, the first model and the second model are determined, laying the foundation for subsequent vulnerability detection using the first model and the second model, and improving the richness of SSRF vulnerability detection methods.
[0146] Based on the vulnerability detection method shown in the above embodiments, the method will be explained in detail through a specific embodiment.
[0147] Figure 5 This is a flowchart illustrating Embodiment 4 of the vulnerability detection method provided in this application. Figure 5 As shown, the vulnerability detection method may include the following steps:
[0148] Before vulnerability detection, a first model is obtained by training the model based on the first training set, and then the first model is deployed to the SSRF vulnerability attack traffic detection engine; at the same time, a second model is obtained by training the model based on the second training set, and the second model is deployed to the SSRF vulnerability code defect detection engine.
[0149] After deploying the first and second models to their respective engines, server requests are identified from the target application's traffic. An SSRF vulnerability attack traffic detection engine is used to determine if these server requests exhibit SSRF attack behavior. If not, the target application has no SSRF vulnerability. If so, the server request is recorded and stored in the SSRF attack traffic database. The target application's code is then retrieved, and an SSRF vulnerability code defect detection engine is used to determine if the target application's code has an SSRF vulnerability. If not, the target application has no SSRF vulnerability. If so, the server request stored in the SSRF attack traffic database is subjected to an SSRF vulnerability simulation attack test. If the attack fails, the target application has no SSRF vulnerability; if the attack succeeds, the target application has an SSRF vulnerability.
[0150] Compared with existing technologies, the embodiments of this application do not rely on the skill level of security testers, thus avoiding a large number of false alarms caused by the low skill level of security testers, and improving the efficiency and accuracy of vulnerability detection.
[0151] It should be understood that the technical solutions shown in any of the above embodiments, including the collection, storage, use, processing, transmission, provision and disclosure of information such as traffic, application code, first training set and second training set, all comply with the provisions of relevant laws and regulations and do not violate public order and good morals.
[0152] The following are embodiments of the apparatus described in this application, which can be used to execute the embodiments of the method described in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the method described in this application.
[0153] Figure 6 This is a schematic diagram of the vulnerability detection device provided in an embodiment of this application. Figure 6 As shown, the vulnerability detection device 600 includes:
[0154] The determination module 601 is used to determine server requests from the traffic of the target application;
[0155] The input module 602 is used to input the server request into the first model and obtain the first result output by the first model. The first model is a model pre-trained by multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has an SSRF vulnerability, and the first result is used to indicate whether the server request has an SSRF attack behavior.
[0156] The acquisition module 603 is used to acquire the code of the target application if the first result indicates that the server request contains an SSRF attack.
[0157] The input module 602 is also used to input the code of the target application into the second model and obtain the second result output by the second model. The second model is a model pre-trained by multiple application code samples and the second label of each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the code of the target application has an SSRF vulnerability.
[0158] The generation module 604 is used to generate vulnerability detection results based on the second result. The vulnerability detection results are used to indicate whether the target application has an SSRF vulnerability.
[0159] In one possible design of this application embodiment, the generation module 604 is specifically used for:
[0160] The testing module is used to perform an SSRF vulnerability simulation attack test on the server request if the second result indicates that the code of the target application has an SSRF vulnerability, and to obtain the vulnerability detection result.
[0161] Optional, SSRF vulnerability simulation attack tests include:
[0162] Attack the internal network target machine by requesting an attack through the server;
[0163] Accordingly, the vulnerability detection results include:
[0164] If the attack is successful, the vulnerability detection result will be the third result, which indicates that the target application has an SSRF vulnerability.
[0165] Conversely, the vulnerability detection result is the fourth result, which indicates that the target application does not have an SSRF vulnerability.
[0166] In another possible design of this application embodiment, after inputting the server request into the first model and obtaining the first result output by the first model, the vulnerability detection device 600 further includes:
[0167] The storage module is used to store the server request in the database if the first result indicates that the server request contains an SSRF attack.
[0168] In another possible design of this application embodiment, before determining the server request from the traffic of the target application, the acquisition module 603 is further configured to acquire a first training set, the first training set including multiple network request samples and a first label for each network request sample;
[0169] The acquisition module 603 is also used to train the model based on the first training set and acquire the first model.
[0170] Optionally, the first model is the random forest model.
[0171] In another possible design of this application embodiment, before determining the server request from the traffic of the target application, the acquisition module 603 is further used to acquire a second training set, the second training set including multiple application code samples and a second label for each application code sample;
[0172] The acquisition module 603 is also used to train the model based on the second training set and acquire the second model.
[0173] Optionally, the second model is a Naive Bayes classification model.
[0174] The vulnerability detection device provided in this application can be used to execute the vulnerability detection method in any of the above embodiments. Its implementation principle and technical effect are similar, and will not be described again here.
[0175] It should be noted that the division of the various modules in the above device is merely a logical functional division. In actual implementation, they can be fully or partially integrated into a single physical entity, or they can be physically separated. Furthermore, these modules can be implemented entirely in software via processing element calls; they can be fully implemented in hardware; or some modules can be implemented by processing element calls to software, while others are implemented in hardware. Additionally, these modules can be fully or partially integrated together, or implemented independently. The processing element mentioned here can be an integrated circuit with signal processing capabilities. In the implementation process, each step of the above method or each of the above modules can be completed through the integrated logic circuits in the hardware of the processor element or through software instructions.
[0176] Figure 7 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Figure 7 As shown, the electronic device 100 may include: a processor 701, a memory 702, and computer program instructions stored in the memory 702 and executable on the processor 701. When the processor 701 executes the computer program instructions, it implements the vulnerability detection method provided in any of the foregoing embodiments.
[0177] Optionally, the various devices of the electronic device 100 can be connected to each other via a system bus.
[0178] The memory 702 can be a separate memory unit or a memory unit integrated into the processor. The number of processors can be one or more.
[0179] Optionally, the electronic device 100 may also include an interface for interacting with other devices.
[0180] A transceiver is used to communicate with other computers; it forms a communication interface.
[0181] It should be understood that the processor 701 can be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), etc. The general-purpose processor can be a microprocessor or any conventional processor. The steps of the method disclosed in this application can be directly manifested as being executed by a hardware processor, or being executed by a combination of hardware and software modules within the processor.
[0182] The system bus can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The system bus can be divided into address bus, data bus, control bus, etc. For ease of representation, only one thick line is used in the diagram, but this does not indicate that there is only one bus or one type of bus. Memory may include random access memory (RAM) and may also include non-volatile memory (NVM), such as at least one disk storage device.
[0183] All or part of the steps of the above method embodiments can be implemented by hardware related to program instructions. The aforementioned program can be stored in a readable memory. When the program is executed, it performs the steps of the above method embodiments; and the aforementioned memory (storage medium) includes: read-only memory (ROM), RAM, flash memory, hard disk, solid-state drive, magnetic tape, floppy disk, optical disk, and any combination thereof.
[0184] The electronic device provided in this application embodiment can be used to execute the vulnerability detection method provided in any of the above method embodiments. Its implementation principle and technical effect are similar, and will not be described again here.
[0185] This application provides a computer-readable storage medium storing computer-executable instructions. When these instructions are executed on a computer, the computer performs the aforementioned vulnerability detection method.
[0186] The aforementioned computer-readable storage medium can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory, electrically erasable programmable read-only memory, erasable programmable read-only memory, programmable read-only memory, read-only memory, magnetic storage, flash memory, magnetic disk, or optical disk. The readable storage medium can be any available medium accessible to a general-purpose or special-purpose computer.
[0187] Optionally, a readable storage medium can be coupled to the processor, enabling the processor to read information from and write information to the readable storage medium. Alternatively, the readable storage medium can be an integral part of the processor. The processor and the readable storage medium can reside in an Application Specific Integrated Circuit (ASIC). Alternatively, the processor and the readable storage medium can exist as discrete components in the device.
[0188] This application also provides a computer program product, which includes a computer program stored in a computer-readable storage medium. At least one processor can read the computer program from the computer-readable storage medium, and when the at least one processor executes the computer program, it can implement the above-described vulnerability detection method.
[0189] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.
Claims
1. A vulnerability detection method, characterized in that, include: Identify server requests from the traffic of the target application; The server request is input into the first model, and the first result output by the first model is obtained. The first model is a model that is pre-trained using multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has a server request forgery SSRF vulnerability, and the first result is used to indicate whether the server request has SSRF attack behavior. If the first result indicates that the server request contains an SSRF attack, then obtain the code of the target application; The code of the target application is input into the second model, and the second result output by the second model is obtained. The second model is a model pre-trained with multiple application code samples and a second label for each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the code of the target application has an SSRF vulnerability. Based on the second result, a vulnerability detection result is generated, which is used to indicate whether the target application has an SSRF vulnerability. The step of generating vulnerability detection results based on the second result includes: If the second result indicates that the code of the target application has an SSRF vulnerability, then the server request is subjected to an SSRF vulnerability simulation attack test to obtain the vulnerability detection result.
2. The method according to claim 1, characterized in that, The SSRF vulnerability simulation attack test includes: The server requests an attack on the target machine on the internal network. Accordingly, the vulnerability detection results include: If the attack is successful, the vulnerability detection result is the third result, which indicates that the target application has an SSRF vulnerability. Conversely, the vulnerability detection result is the fourth result, which indicates that the target application does not have an SSRF vulnerability.
3. The method according to claim 1 or 2, characterized in that, After inputting the server request into the first model and obtaining the first result output by the first model, the method further includes: If the first result indicates that the server request is subject to an SSRF attack, then the server request is stored in the database.
4. The method according to claim 1 or 2, characterized in that, Before determining the server request from the traffic of the target application, the method further includes: Obtain a first training set, which includes multiple network request samples and a first label for each network request sample; The model is trained based on the first training set to obtain the first model.
5. The method according to claim 4, characterized in that, The first model is a random forest model.
6. The method according to claim 1 or 2, characterized in that, Before determining the server request from the traffic of the target application, the method further includes: Obtain a second training set, which includes multiple application code samples and a second label for each application code sample; The model is trained based on the second training set to obtain the second model.
7. The method according to claim 6, characterized in that, The second model is the Naive Bayes classification model.
8. A vulnerability detection device, characterized in that, include: The determination module is used to identify server requests from the traffic of the target application; The input module is used to input the server request into the first model and obtain the first result output by the first model. The first model is a model pre-trained using multiple network request samples and the first label of each network request sample. The first label is used to indicate whether the network request sample has a server request forgery (SSRF) vulnerability, and the first result is used to indicate whether the server request has SSRF attack behavior. The acquisition module is used to acquire the code of the target application if the first result indicates that the server request contains an SSRF attack. The input module is further configured to input the code of the target application into the second model and obtain the second result output by the second model. The second model is a model pre-trained using multiple application code samples and a second label for each application code sample. The second label is used to indicate whether the application code sample has an SSRF vulnerability, and the second result is used to indicate whether the code of the target application has an SSRF vulnerability. A generation module is used to generate a vulnerability detection result based on the second result, wherein the vulnerability detection result is used to indicate whether the target application has an SSRF vulnerability; Specifically, the generation module is used for: If the second result indicates that the code of the target application has an SSRF vulnerability, then the server request is subjected to an SSRF vulnerability simulation attack test to obtain the vulnerability detection result.
9. An electronic device, comprising: A processor, a memory, and computer program instructions stored in the memory and executable on the processor, characterized in that the processor executes the computer program instructions to implement the vulnerability detection method as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, are used to implement the vulnerability detection method as described in any one of claims 1 to 7.
11. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it is used to implement the vulnerability detection method as described in any one of claims 1 to 7.