Method and device for processing request text, electronic equipment and storage medium

By augmenting the command injection text and non-attack request text with data, a rich sample dataset is generated. Then, by using an attack detection model for multi-scale feature extraction and feature fusion, the problem of accurate identification of command injection attacks in servers is solved, and more efficient attack detection is achieved.

CN118694547BActive Publication Date: 2026-07-03BEIJING HONGTENG INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
BEIJING HONGTENG INTELLIGENT TECH CO LTD
Filing Date
2023-03-24
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing technologies, servers have difficulty effectively identifying HTTP request text for command injection attacks, leading to either missed or false positives.

Method used

By performing data augmentation on command attack texts and non-attack request texts, a rich sample request dataset is generated. Then, multi-scale feature extraction and feature fusion are performed using an attack detection model to train the model and improve detection accuracy.

Benefits of technology

It enhances the robustness and accuracy of the attack detection model, reduces false detections, and can effectively identify and prevent command injection attacks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN118694547B_ABST
    Figure CN118694547B_ABST
Patent Text Reader

Abstract

This application provides a method, apparatus, electronic device, and storage medium for processing request text. In this method, the attack request text is enriched by combining command attack text with non-attack request text, thereby enhancing the attack detection performance of the attack detection model. The attack detection model extracts features at multiple scales based on the target request text, obtaining features at various scales that can characterize most of the features of the target request text. Feature fusion of these multiple scales achieves complementary advantages, enabling the attack detection model to obtain more robust and accurate detection results. The attack detection model is trained based on the loss value between the detection results and the labeled results. In practical applications, using the attack detection model to detect request text can avoid false detections; when the attack detection model detects that the request text is an attack request text, corresponding measures can be taken to prevent further attacks from that request text.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and more specifically, to methods, apparatus, electronic devices, and storage media for processing request text in the field of computer technology. Background Technology

[0002] With the continuous development of network technology, network security issues are also increasing. Normally, network users can obtain various network resources from servers by sending Hypertext Transfer Protocol (HTTP) request text. However, if the network user is a hacker, the hacker can inject commands into the HTTP request to obtain network resources that pose a data security risk to the server, which is extremely dangerous.

[0003] In related technologies, servers often match the HTTP request text to be detected with multiple HTTP request texts containing command injection attacks. If a match is found, the server determines that the HTTP request text to be detected is an attack text and then issues a command injection attack alert. However, in real-world network environments, the HTTP request texts to be detected are complex and diverse. Therefore, this method may result in either missed or false alarms. Summary of the Invention

[0004] This application provides a method, apparatus, electronic device, and storage medium for processing request text, the method being capable of...

[0005] Firstly, a method for processing request text is provided. This method includes: obtaining a target request text from a sample request dataset, the sample request dataset including attack request text and non-attack request text, wherein the attack request text is obtained by data augmentation of the command attack text and the non-attack request text; inputting the target request text into an attack detection model, wherein the attack detection model performs multi-scale feature extraction based on the target request text to obtain multiple features at different scales; fusing the multiple features at different scales to obtain fused features, and determining a detection result for the target request text based on the fused features; and training the attack detection model based on a loss value between the detection result and the annotation result of the target request text, wherein the annotation result is used to indicate whether the target request text is an attack request text.

[0006] In the above technical solution, the attack request text in the sample request dataset is obtained by data augmentation of command attack text and non-attack request text. In other words, the attack request text in the sample request dataset can be enriched by combining command attack text and non-attack request text. To a certain extent, this can enhance the attack detection effect of the attack detection model on the request text to be detected. The target request text is obtained from the sample request dataset; the attack detection model performs multi-scale feature extraction based on the target request text, obtaining multiple features at different scales, which can characterize most of the features of the target request text. These multiple features at different scales are fused to obtain fused features, achieving complementary advantages of features at different scales, enabling the attack detection model to obtain more robust and accurate detection results. The detection result for the target request text is determined based on the fused features; the attack detection model is trained based on the loss value between the detection result and the labeled result of the target request text. Therefore, in practical applications, the trained attack detection model can be used to detect attacks on request text, avoiding the problem of false detections; and if the attack detection model detects that the request text is an attack request text, corresponding measures can be taken to prevent further attacks.

[0007] In conjunction with the first aspect, in some possible implementations, the method for data augmentation of the command attack text and the non-attack request text includes: augmenting the command attack text to obtain the command attack augmented text; and augmenting the non-attack request text based on the command attack augmented text to obtain the attack request text.

[0008] In the above technical solution, since command attack text exists within request text in practical applications, meaning the request text is offensive because it contains command attack text; furthermore, in practical applications, directly usable attack request texts are relatively few, and collecting them is extremely costly. Therefore, data augmentation can be performed on the command attack text to obtain command attack augmented text, thus increasing the number of command attack texts; based on the command attack augmented text, data augmentation can be performed on non-attack request texts (multiple non-attack request texts) to obtain attack request texts. In other words, multiple command attack texts exist within multiple non-attack request texts, which further increases the number of attack request texts.

[0009] In combination with the first aspect and the above implementation methods, in some possible implementation methods, data augmentation is performed on the command attack text to obtain command attack augmented text, including at least one of the following: adding a first command field to the command attack text to obtain the command attack augmented text; updating the parameters of at least one command field in the command attack text to obtain the command attack augmented text; deleting a second command field from the command attack text to obtain the command attack augmented text.

[0010] In the above technical solutions, it should be understood that text data augmentation techniques include, but are not limited to, random word addition / deletion, synonym replacement, and text truncation / concatenation. However, these techniques cannot be directly used in attack detection scenarios. This is because for the attack request text to be effective, the integrity of the command attack text must be maintained within it, and arbitrary cutting and splicing are not allowed. For example, most command attack texts have parameters and their own syntactic structure, requiring the continuity and integrity of the attack command and its parameters to be maintained. Therefore, the above technical solutions add a first command field to the command attack text; update the parameters of at least one command field in the command attack text; and delete a second command field in the command attack text to achieve data augmentation of the command attack text, resulting in augmented command attack text.

[0011] In combination with the first aspect and the above implementation methods, in some possible implementation methods, the non-attack request text is augmented based on the command attack enhancement text to obtain the attack request text, including at least one of the following: nesting the command field in the command attack enhancement text in the non-attack request text to obtain the attack request text; replacing the request text in the non-attack request text with the command field in the command attack enhancement text to obtain the attack request text.

[0012] In the above technical solution, the command attack text (command attack enhancement text) exists in the request text (non-attack request text) in two ways. Specifically, the command field in the command attack enhancement text is nested in the non-attack request text; the request text in the non-attack request text is replaced with the command field in the command attack enhancement text to obtain a larger number of attack request texts and enrich the attack request text in the sample request dataset.

[0013] In summary, this application proposes a method for processing request text. The attack request text in the sample request dataset is obtained by augmenting command attack text and non-attack request text. In other words, the attack request text in the sample request dataset can be enriched by combining command attack text and non-attack request text. To a certain extent, this can enhance the attack detection performance of the attack detection model on the request text to be detected. The method involves obtaining the target request text from the sample request dataset; the attack detection model then extracts multi-scale features from the target request text, obtaining features at multiple different scales, which can represent most of the features of the target request text. These features at multiple different scales are then fused to obtain fused features, achieving complementary advantages and enabling the attack detection model to obtain more robust and accurate detection results. The detection result for the target request text is determined based on the fused features; the attack detection model is then trained based on the loss value between the detection result and the labeled result of the target request text. Therefore, in practical applications, the trained attack detection model can be used to detect attacks on request texts, avoiding the problem of false detections. Furthermore, if the attack detection model detects that the request text is an attack request text, corresponding measures can be taken to prevent further attacks on the request text.

[0014] Furthermore, in practical applications, command attack text exists within request text; that is, the reason a request text is offensive is because it contains command attack text. Moreover, in practical applications, directly usable attack request texts are relatively few, and collecting them is extremely costly. Therefore, data augmentation can be performed on command attack texts to obtain augmented command attack texts, thus increasing the number of command attack texts. Based on the augmented command attack texts, data augmentation can be performed on non-attack request texts (multiple non-attack request texts) to obtain attack request texts. In other words, multiple command attack texts exist within multiple non-attack request texts, which further increases the number of attack request texts.

[0015] Secondly, a method for processing request text is provided. The method includes: inputting the request text to be detected into an attack detection model, which is trained from target request texts in a sample request dataset, the sample request dataset including attack request texts and non-attack request texts, the attack request texts being obtained by data augmentation of command attack texts and non-attack request texts; performing multi-scale feature extraction on the request text to be detected by the attack detection model to obtain multiple features at different scales; fusing the multiple features at different scales by the attack detection model to obtain fused features; and performing attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text.

[0016] The above technical solution describes the process of using an attack detection model to detect attacks on request text (the request text to be detected) in practical applications. The attack detection model is trained on non-attack request text and data-augmented attack request text (the target request text in the sample request dataset). Therefore, the trained attack detection model has better attack detection performance. The specific process of using the attack detection model to detect attacks on the request text to be detected is as follows: The attack detection model extracts features from the request text to be detected at multiple scales, obtaining features at multiple different scales; these features are then fused to obtain fused features, and attack detection is performed on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text.

[0017] In conjunction with the second aspect, in some possible implementations, the method further includes: if the request text to be detected is an attack request text, determining a first response message for the request text to be detected; based on the first response message and a reference response message of the attack request text, determining that the request text to be detected has successfully attacked the response device, wherein the reference response message is a message obtained by the attack request text successfully attacking the response device, and the response device is the device that generated the first response message.

[0018] In the above technical solution, an attack request text can only successfully attack the responding device if the request text to be detected is an attack request text. Therefore, when the request text to be detected is an attack request text, further processing can be performed on the request text to be detected. Specifically, the first response message of the request text to be detected is determined, and the success or failure of the attack is detected based on a reference response message of an attack request text that successfully attacked the responding device.

[0019] In conjunction with the second aspect and the above implementation methods, in some possible implementation methods, determining that the request text to be detected has successfully attacked the response device based on the first response message and the reference response message of the attack request text includes at least one of the following: determining that the request text to be detected has successfully attacked the response device when the first response message contains multiple fields of a specified format using regular expressions, wherein the multiple fields of the specified format are obtained from the reference response message; extracting the attack semantic vector of the reference response message and the first semantic vector of the first response message; determining the similarity between the first semantic vector and the attack semantic vector; and determining that the request text to be detected has successfully attacked the response device when the similarity is greater than a preset similarity.

[0020] In the above technical solution, two methods are used to determine whether the request text to be detected has successfully attacked the response device. Specifically, when the format of the request text to be detected is relatively simple, regular expressions are used to search for multiple fields of a specified format (these multiple fields of a specified format are obtained from a reference response message) in the first response message of the request text to be detected to determine whether the request text to be detected has successfully attacked the response device. When the format of the request text to be detected is relatively complex, the similarity between the attack semantic vector of the reference response message and the first semantic vector of the first response message is used. If the similarity is greater than a preset similarity, it is determined that the request text to be detected has successfully attacked the response device.

[0021] In summary, this application proposes a method for processing request text, describing the process of using an attack detection model to detect attacks on request text (the request text to be detected) in practical applications. The attack detection model is trained on non-attack request text and data-augmented attack request text (the target request text in the sample request dataset), thus achieving better attack detection performance. The process of using the attack detection model to detect attacks on the request text to be detected is as follows: the attack detection model extracts multi-scale features from the request text to be detected, obtaining features at multiple different scales; these features are then fused to obtain fused features, and attack detection is performed on the request text to be detected based on these fused features to determine whether the request text to be detected is an attack request text.

[0022] Furthermore, since an attack request text can only successfully attack a responding device if it is itself an attack request text, further processing is performed on the request text when it is indeed an attack request text. Specifically, the first response message of the request text to be detected is determined, and the success or failure of the attack is determined based on a reference response message of an attack request text that successfully attacked the responding device.

[0023] Thirdly, an apparatus for processing request text is provided, comprising: an acquisition module for acquiring target request text from a sample request dataset, the sample request dataset including attack request text and non-attack request text, the attack request text being obtained by data augmentation of command attack text and the non-attack request text; and a processing module for: inputting the target request text into an attack detection model, the attack detection model performing multi-scale feature extraction based on the target request text to obtain multiple features at different scales; fusing the multiple features at different scales to obtain fused features, and determining a detection result for the target request text based on the fused features; and training the attack detection model based on a loss value between the detection result and the annotation result of the target request text, the annotation result being used to indicate whether the target request text is an attack request text.

[0024] In conjunction with the third aspect, in some possible implementations, the device further includes: a data enhancement module, configured to: perform data enhancement on the command attack text to obtain command attack enhanced text; and perform data enhancement on the non-attack request text based on the command attack enhanced text to obtain the attack request text.

[0025] In conjunction with the third aspect and the above implementation methods, in some possible implementation methods, the data augmentation module is specifically used for at least one of the following: adding a first command field to the command attack text to obtain the command attack augmented text; updating the parameters of at least one command field in the command attack text to obtain the command attack augmented text; deleting a second command field from the command attack text to obtain the command attack augmented text.

[0026] In conjunction with the third aspect and the above implementation methods, in some possible implementation methods, the data augmentation module is specifically used for at least one of the following: nesting the command field in the command attack augmentation text within the non-attack request text to obtain the attack request text; replacing the request text in the non-attack request text with the command field in the command attack augmentation text to obtain the attack request text.

[0027] Fourthly, an apparatus for processing request text is provided, comprising: an input module for inputting a request text to be detected into an attack detection model, the attack detection model being trained from target request texts in a sample request dataset, the sample request dataset including attack request texts and non-attack request texts, the attack request texts being obtained by data augmentation of command attack texts and the non-attack request texts; an extraction module for performing multi-scale feature extraction on the request text to be detected by the attack detection model to obtain multiple features at different scales; and a detection module for fusing the multiple features at different scales by the attack detection model to obtain fused features, and performing attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text.

[0028] In conjunction with the fourth aspect, in some possible implementations, the apparatus further includes: a determining module, configured to: determine a first response message for the request text to be detected if the request text to be detected is an attack request text; and determine, based on the first response message and a reference response message of the attack request text, that the request text to be detected has successfully attacked the response device, wherein the reference response message is a message obtained by the attack request text successfully attacking the response device, and the response device is the device that generated the first response message.

[0029] In conjunction with the fourth aspect and the above implementation methods, in some possible implementation methods, the determining module is specifically used for at least one of the following: when the first response message contains multiple fields of a specified format using regular expressions, determining that the request text to be detected has successfully attacked the response device, wherein the multiple fields of the specified format are obtained from the reference response message; extracting the attack semantic vector of the reference response message and the first semantic vector of the first response message; determining the similarity between the first semantic vector and the attack semantic vector; and determining that the request text to be detected has successfully attacked the response device if the similarity is greater than a preset similarity.

[0030] Fifthly, a computer-readable storage medium is provided, which stores instructions that, when executed on a computer or processor, cause the computer or processor to perform the methods of the first aspect or any possible implementation thereof, and cause the computer or processor to perform the methods of the second aspect or any possible implementation thereof. Attached Figure Description

[0031] Figure 1 This is a schematic diagram of the structure of a network system provided in an embodiment of this application;

[0032] Figure 2This is a schematic flowchart illustrating a method for processing request text provided in an embodiment of this application;

[0033] Figure 3 This is a schematic diagram of a first feature provided in an embodiment of this application;

[0034] Figure 4 This is a schematic diagram illustrating the determination of fusion features according to an embodiment of this application;

[0035] Figure 5 This is a schematic diagram illustrating another method for determining fusion features provided in an embodiment of this application;

[0036] Figure 6 This is a schematic flowchart illustrating another method for processing request text provided in an embodiment of this application;

[0037] Figure 7 This is a schematic diagram of the structure of an apparatus for processing request text provided in an embodiment of this application;

[0038] Figure 8 This is a schematic diagram of another apparatus for processing request text provided in an embodiment of this application;

[0039] Figure 9 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0040] The technical solutions of this application will now be described clearly and in detail with reference to the accompanying drawings. In the description of the embodiments of this application, "multiple" refers to two or more. The terms "first" and "second" are used for descriptive purposes only and should not be construed as implying or suggesting relative importance or implicitly indicating the number of indicated technical features. Therefore, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature.

[0041] Figure 1 This is a schematic diagram of the structure of a network system provided in an embodiment of this application.

[0042] For example, such as Figure 1 As shown, the network system includes multiple access devices, third-party devices, and a server. The server is a response device that can respond to request texts from the multiple access devices, including a first access device, a second access device, and a third access device. The third-party devices (electronic devices) are used to perform attack detection on the request texts from the multiple access devices accessing the server; and, if the request text is an attack request text, further detect whether the attack on the server was successful.

[0043] Taking the example of a first access device accessing a server, the process of processing a request text is described. The first access device needs to obtain a first resource from the server. Therefore, the first access device can send an HTTP request text to the server. This HTTP request text carries the source address (the address of the first access device), the destination address (the address of the server), and the content to be requested. When the server receives this HTTP request text, it processes the HTTP request text and then sends it to the electronic device.

[0044] The server responds to the requested HTTP request text based on the requested content, receiving a response message. The electronic device performs attack detection on the HTTP request text. If the HTTP request text is not an attack request text, the electronic device sends a first signal to the server, indicating that the HTTP request text is not an attack request text, and the server does not take any defensive measures against the first access device. If the HTTP request text is an attack request text, the electronic device sends a second signal to the server and examines the response message of the HTTP request text to determine whether the HTTP request text successfully attacked the server, where the second signal indicates that the HTTP request text is an attack request text. If the HTTP request text successfully attacked the server, the electronic device sends a third signal to the server, indicating that the HTTP request text successfully attacked the server, and the server may not respond to any other HTTP request text received from the first access device in the future.

[0045] Figure 2 This is a schematic flowchart illustrating a method for processing request text provided in an embodiment of this application.

[0046] It should be understood that the method for processing request text provided in this application embodiment can be applied to... Figure 1 The server shown. Alternatively, this method of processing request text can also be applied to a third-party device (electronic device) that communicates with the server, which can perform attack detection on the request text for accessing the server, and if the request text is an attack request text, detect whether the attack on the server was successful.

[0047] For example, such as Figure 2 As shown, the method 200 includes:

[0048] 201. The electronic device obtains target request text from a sample request dataset, which includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text.

[0049] It should be understood that the "attack request text" in step 201 above can be interpreted as request text containing command attack text. For example, an HTTP request injected with a command attack; "non-attack request text" can be understood as request text without command attack text; "command attack text" can be understood as offensive or destructive command text, which can be command text from Windows systems and / or Linux systems. For example, ping -l 6550 -t server's IP address. Here, "-l" is the size of the data packet sent, and "-t" means continuously sending data packets to the server. This command attack text indicates that 6550-byte data packets will be continuously sent to the server, which will cause the server's system to crash.

[0050] It should also be understood that the sample request dataset includes positive and negative samples, where positive samples are attack request texts and negative samples are non-attack request texts. This allows the attack detection model trained on both attack and non-attack request texts to accurately detect attacks on the request text to be detected. However, in practical applications, directly usable attack request texts are relatively few, and collecting them is extremely costly. Therefore, in this implementation, data augmentation is performed on both the command attack text and the non-attack request text to obtain attack request texts. Then, a sample request dataset is formed based on the non-attack request texts and the data-augmented attack request texts. This allows the trained attack detection model to obtain more accurate detection results when performing attack detection on the request text to be detected.

[0051] In one possible implementation, the method by which the electronic device performs data augmentation on the command attack text and the non-attack request text includes: the electronic device performing data augmentation on the command attack text to obtain command attack augmented text; and the electronic device performing data augmentation on the non-attack request text based on the command attack augmented text to obtain the attack request text.

[0052] It should be understood that in practical applications, command attack text exists within the request text. In other words, the reason a request text is offensive is because it contains command attack text. Furthermore, in practice, directly usable attack request texts are relatively few, and collecting them is extremely costly. Therefore, it is necessary to increase the number of attack request texts available.

[0053] In the above technical solution, data augmentation can be performed on the command attack text to obtain command attack augmented text, thereby increasing the number of command attack texts; based on the command attack augmented text, data augmentation can be performed on non-attack request texts (multiple non-attack request texts) to obtain attack request texts. In other words, multiple command attack texts exist in multiple non-attack request texts, which can increase the number of attack request texts.

[0054] The process of “data augmentation of the command attack text, and data augmentation of the non-attack request text based on the command attack augmentation text” is discussed in detail below.

[0055] In one possible implementation, the electronic device performs data augmentation on the command attack text to obtain command attack augmented text, including at least one of the following: the electronic device adds a first command field to the command attack text to obtain the command attack augmented text; the electronic device updates the parameters of at least one command field in the command attack text to obtain the command attack augmented text; the electronic device deletes a second command field from the command attack text to obtain the command attack augmented text.

[0056] It should be understood that text data augmentation techniques include, but are not limited to, random word addition or deletion, synonym replacement, and text truncation and concatenation. However, these techniques cannot be directly used in attack detection scenarios. This is because for the attack request text to be effective, the integrity of the command attack text must be maintained within it, and arbitrary cutting and splicing are not allowed. For example, most command attack texts have parameters and their own syntactic structure, requiring the continuity and integrity of the attack command and its parameters to be maintained.

[0057] Based on the above explanation and description, in the above technical solution, a first command field can be added to the command attack text; the parameters of at least one command field in the command attack text can be updated; and a second command field can be deleted from the command attack text to achieve data enhancement of the command attack text and obtain command attack enhanced text.

[0058] For example, the command attack text is ping -l 6550 -t -4 server's IP address, where -4 indicates the use of an IPv4 address in the command attack text. This command attack text indicates that 6550-byte packets will be continuously sent to the server, which will cause the server's system to crash.

[0059] The first method involves adding the first command field "-r count" to the attack command text, resulting in the enhanced attack text: `ping -l 6550-tr count-4`. Here, "-r count" indicates the number of routers the enhanced attack text passes through before being sent to the server (an IPv4 server address). This enhanced attack text indicates that 6550-byte packets are continuously sent to the server, and the number of routers traversed is recorded. The second method involves changing "6550" to "6520" in the attack command text, resulting in the enhanced attack text: `ping -l 6520-t-4`. This enhanced attack text indicates that 6520-byte packets are continuously sent to the server (an IPv4 server address). The third method involves deleting "-4" from the attack command text, resulting in the enhanced attack text: `ping -l 6550-t`. This enhanced attack text indicates that 6550-byte packets are continuously sent to the server (either an IPv4 or IPv6 server address).

[0060] In one possible implementation, the electronic device performs data augmentation on the non-attack request text based on the command attack enhancement text to obtain the attack request text, including at least one of the following: the electronic device nests the command field in the command attack enhancement text within the non-attack request text to obtain the attack request text; the electronic device replaces the request text in the non-attack request text with the command field in the command attack enhancement text to obtain the attack request text.

[0061] It should be understood that there are two methods: First, the command field from the command attack enhancement text is nested within the non-attack request text. This does not change the content of the request text in the non-attack request text; it simply adds the command field from the command attack enhancement text to the non-attack request text. In this way, the non-attack request text will contain the command field from the attack command text, thus transforming the non-attack request text into an attack request text. Second, the request text in the non-attack request text is replaced with the command field from the command attack enhancement text, changing the content of the request text in the non-attack request text. In this way, the non-attack request text includes the command field from the attack command text, thus transforming the non-attack request text into an attack request text.

[0062] In the above technical solution, the command attack text (command attack enhancement text) exists in the request text (non-attack request text) in two ways. Specifically, the command field in the command attack enhancement text is nested in the non-attack request text; the request text in the non-attack request text is replaced with the command field in the command attack enhancement text to obtain a larger number of attack request texts and enrich the attack request text in the sample request dataset.

[0063] 202. The electronic device inputs the target request text into the attack detection model, which performs multi-scale feature extraction based on the target request text to obtain multiple features at different scales; the multiple features at different scales are fused to obtain fused features, and the detection result of the target request text is determined based on the fused features.

[0064] The architecture of the "attack detection model" in step 202 above is a convolutional neural network architecture based on the Text CNN (Convolutional Neural Networks) model.

[0065] In one possible implementation, the attack detection model performs multi-scale feature extraction based on the target request text to obtain multiple features at different scales, including: the attack detection model converts the target request text into target word vectors, and uses convolutional kernels of different sizes to perform multi-scale feature extraction on the target word vectors to obtain the multiple features at different scales.

[0066] It should be understood that converting the target request text into target word vectors means representing the target request text as a series of vectors that can express the semantics of the text. This facilitates feature extraction by the subsequent attack detection model. Multi-scale feature extraction of target word vectors using convolutional kernels of different sizes refers to using convolutional kernels of different lengths and widths to extract features at multiple scales. Typically, [1*1], [3*3], [5*5], and [7*7] convolutional kernels are used to extract features at multiple scales from the target word vectors, resulting in features at multiple different scales.

[0067] In the above technical solution, the target request text is converted into target word vectors, which facilitates the processing of the target request text. By using convolution kernels of different sizes to extract multi-scale features from the target word vectors, more comprehensive features of the target request text at different scales can be obtained. These features have a stronger ability to represent the target request text, which makes the attack detection model have better attack detection performance.

[0068] Optionally, the attack detection model includes an embedding layer and a convolutional layer, and the attack detection model converts the target request text into target word vectors, and uses convolutional kernels of different sizes to perform multi-scale feature extraction on the target word vectors to obtain the multiple features at different scales, including: the embedding layer converts the target request text into target word vectors, and the convolutional layer uses convolutional kernels of different sizes to perform multi-scale feature extraction on the target word vectors to obtain the multiple features at different scales.

[0069] The embedding layer can be considered as the embedding layer; the convolutional layer can be considered as the encoder layer.

[0070] The process of determining when the convolutional layer training is complete is as follows.

[0071] In one possible implementation, the method 200 further includes: when the convolutional layer performs multi-scale feature extraction on multiple positive sample word vectors using convolutional kernels of different sizes, and the first distance value between the features at different scales is less than a first preset distance; when the convolutional layer performs multi-scale feature extraction on multiple negative sample word vectors using convolutional kernels of different sizes, and the second distance value between the features at different scales is less than a second preset distance, and the difference between the first distance value and the second distance value is greater than a first value, the electronic device determines that the convolutional layer has been successfully trained; wherein, the multiple positive sample word vectors are obtained by transforming multiple positive samples, and the multiple negative sample word vectors are obtained by transforming multiple negative samples.

[0072] Optionally, both the first distance value and the second distance value can be Euclidean distance values ​​or cosine distance values.

[0073] In the above technical solution, the features between positive samples are similar, the features between negative samples are similar, and the features between positive and negative samples differ significantly. Therefore, the feature extraction capability of the convolutional layer can be measured by the first distance value between features of different scales obtained from positive samples, the second distance value between features of different scales obtained from negative samples, and the difference between the first and second distance values. This allows the convolutional layer to have better feature extraction capabilities.

[0074] The process of "fusing features of multiple different scales to obtain fused features" will be discussed in two ways below.

[0075] In one possible implementation, the attack detection model fuses the features of multiple different scales to obtain a fused feature, including: the attack detection model concatenates the features of multiple different scales in the channel direction to obtain the fused feature, wherein the number of channels of the fused feature is the sum of the number of channels of the features of multiple different scales.

[0076] In the above technical solution, features at multiple different scales are spliced ​​together to obtain fused features with multiple channels. This achieves the complementary advantages of features at multiple different scales, enabling the attack detection model to obtain more robust and accurate attack detection results.

[0077] It should be understood that before the attack detection model performs feature concatenation on the features at multiple different scales, the method further includes: upsampling the features at multiple different scales by the attack detection model to obtain multiple sampled features, and then concatenating the multiple sampled features. "Upsampling" refers to element interpolation in the features at each scale to make the features at different scales become features of the same scale (same in length and width), which is beneficial for subsequent feature concatenation. In this embodiment, upsampling mainly refers to zero padding.

[0078] It should also be understood that the size of each feature can be characterized by its length, width, and number of channels, where the number of channels is also called depth.

[0079] Figure 3 This is a schematic diagram of a first feature provided in an embodiment of this application.

[0080] For example, such as Figure 3 The first feature shown has 3 channels, meaning it consists of three features (feature a, feature b, and feature c). Features a, b, and c each have a length and width of 2, indicating that each feature is 2*2 in size, meaning each feature consists of 4 elements: feature a consists of elements 5, 3, 1, and 2; feature b consists of elements 2, 6, 3, and 1; and feature c consists of elements 8, 3, 4, and 7.

[0081] It should also be understood that feature concatenation along the channel direction can be simply understood as connecting multiple features of different scales along the channel direction. The number of channels will change before and after feature fusion.

[0082] Figure 4 This is a schematic diagram illustrating the determination of fusion features provided in an embodiment of this application.

[0083] For example, such as Figure 4 The second feature shown in (a) has a length, width, and number of channels of 2, 2, and 3, respectively. The features on the three channels of the second feature are feature a, feature b, and feature c, where feature a consists of elements 5, 3, 1, and 2; feature b consists of elements 2, 6, 3, and 1; and feature c consists of elements 8, 3, 4, and 7. (See diagram for reference.) Figure 4 The third feature shown in (b) has a length, width, and number of channels of 2, 3, and 2, respectively. The features on the two channels of the third feature are feature d and feature e, where feature d consists of elements 6, 3, 1, 2, 7, and 3; feature e consists of elements 2, 4, 1, 8, 4, and 9. The second and third features are concatenated along the channel direction to obtain the fourth feature, as shown in (b). Figure 4As shown in (c) in the diagram. From Figure 4 As can be seen in (c): after padding features a, b and c that make up the second feature with zeros in the width direction, the third feature and the zero-padded second feature are concatenated on the channel to obtain the fourth feature.

[0084] In another possible implementation, the attack detection model fuses the features of multiple different scales to obtain a fused feature, including: the attack detection model adds the features of multiple different scales in the length and width directions to obtain the fused feature, and the number of channels of the fused feature is the value with the largest number of channels among the features of multiple different scales.

[0085] In the above technical solution, features of multiple different scales are fused in another way. Specifically, the features of multiple different scales are added together in the length and width directions to obtain the fused feature. This realizes the complementary advantages of features of multiple different scales, so that the attack detection model can obtain more robust and accurate attack detection results.

[0086] It should be understood that before the attack detection model adds features at multiple different scales, the method further includes: upsampling the features at multiple different scales by the attack detection model to obtain multiple sampled features, and then adding the multiple sampled features. "Upsampling" refers to element interpolation in the features at each scale so that the features at different scales become features of the same scale (same length, width, and height), which is beneficial for subsequent feature addition. In this embodiment, upsampling mainly refers to zero padding.

[0087] It should also be understood that adding features at multiple different scales along the length and width directions can be simply understood as adding the corresponding elements of each feature at a different scale. The number of channels remains unchanged before and after feature fusion.

[0088] Figure 5 This is a schematic diagram illustrating another method for determining fusion features provided in an embodiment of this application.

[0089] For example, with Figure 5 The second feature shown in (a) and with Figure 5 Taking the third feature shown in (b) as an example, the process of feature addition is described. By comparing the length, width, and number of channels of the second feature (2, 2, and 3 respectively) with the length, width, and number of channels of the third feature (2, 3, and 2 respectively), it is determined that the second and third features need to be padded with zeros respectively. Then, the fifth feature is obtained (see [reference]). Figure 5 (c) and the sixth feature (see also) Figure 5(d)). Then, by adding corresponding elements from feature a to feature d, corresponding elements from feature b to feature e, and corresponding elements from feature c to feature f, the seventh feature is obtained (see [reference]). Figure 5 (e)). The seventh feature consists of feature h, feature i and feature c, wherein feature h consists of elements 11, 6, 2, 4, 7 and 3; feature i consists of elements 4, 10, 4, 9, 4 and 9; and feature c consists of elements 8, 3, 4, 7, 0 and 0.

[0090] Optionally, the attack detection model further includes a splicing layer, and the attack detection model splices the features of multiple different scales in the channel direction to obtain the fused feature, including: the splicing layer splices the features of multiple different scales in the channel direction to obtain the fused feature.

[0091] Among them, the splicing layer can be regarded as the Concat layer (feature splicing layer).

[0092] Optionally, the attack detection model further includes an additive layer, and the attack detection model adds features of multiple different scales in the length and width directions to obtain the fused feature, including: the additive layer adds features of multiple different scales in the length and width directions to obtain the fused feature.

[0093] The addition layer can be viewed as an Add layer (feature addition layer).

[0094] Optionally, the attack detection model further includes a classification layer, and determines the detection result of the target request text based on the fusion feature, including: the classification layer determines the detection result of the target request text based on the fusion feature.

[0095] The classification layer can be considered as the Classifier layer.

[0096] 203. The electronic device trains the attack detection model based on the loss value between the detection result and the annotation result of the target request text, which is used to indicate whether the target request text is an attack request text.

[0097] It should be understood that the annotation results are the results of manually or electronically annotating the target request text before training the attack detection model. During the training process of the attack detection model, the detection results of the attack detection model on the target request text should be as close as possible to the annotation results; that is, the loss value should be as small as possible. This will result in an attack detection model with better attack detection performance.

[0098] In one possible implementation, the method 200 further includes: if the loss value is less than a preset loss value, the electronic device determines that the attack detection model has been successfully trained; if the loss value is greater than or equal to the preset loss value, the electronic device continues to train the attack detection model.

[0099] In the above technical solution, the loss value is used to measure whether to continue training the attack detection model. When the loss value is less than the preset loss value, it indicates that the attack detection model has achieved a good attack detection effect, and the attack detection model does not need to be trained further. Therefore, the electronic device determines that the attack detection model has been successfully trained. When the loss value is greater than or equal to the preset loss value, it indicates that the attack detection effect of the attack detection model does not yet meet the requirements, and the attack detection model needs to be trained further.

[0100] It should be understood that steps 201 to 203 above constitute the training process for the attack detection model. The actual usage process of the attack detection model is described below, and details can be found in steps 601 to 603.

[0101] Figure 6 This is a schematic flowchart illustrating another method for processing request text provided in an embodiment of this application.

[0102] It should be understood that, similar to the method for processing request text described above, another method for processing request text provided in this application embodiment can be applied to... Figure 1 The server shown. Alternatively, this method of processing request text can also be applied to a third-party device (electronic device) that communicates with the server. This third-party device can perform attack detection on the request text for accessing the server, and if the request text is an attack request text, it can detect whether the attack on the server was successful.

[0103] For example, such as Figure 6 As shown, the method 600 includes:

[0104] 601. The electronic device inputs the request text to be detected into the attack detection model, which is trained from the target request text in the sample request dataset, which includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text.

[0105] 602, the attack detection model performs multi-scale feature extraction on the request text to be detected, and obtains features at multiple different scales.

[0106] 603. The attack detection model fuses features from multiple different scales to obtain fused features, and performs attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text.

[0107] It should be understood that steps 601 to 603 are the actual process of using the attack detection model. The specific implementation methods in these steps belong to the same inventive concept as steps 201 to 203, and will not be described again here.

[0108] In one possible implementation, the method 600 further includes: if the request text to be detected is an attack request text, the electronic device determines a first response message for the request text to be detected; based on the first response message and a reference response message of the attack request text, the electronic device determines that the request text to be detected has successfully attacked the response device, the reference response message being the message obtained by the attack request text successfully attacking the response device, and the response device being the device that generated the first response message.

[0109] It should be understood that a request text to be detected can only successfully attack the responding device if it is an attack request text. Therefore, if the request text to be detected is an attack request text, further detection can be performed. If it is found that the request text has successfully attacked the responding device, the electronic device can store the address of the accessed device of the request text. This way, in subsequent accesses to the responding device by that accessed device, the server will not respond to the request text from that accessed device.

[0110] In the above technical solution, based on the above explanation or description, when the request text to be detected is an attack request text, further processing can be performed on the request text to be detected. Specifically, the first response message of the request text to be detected is determined, and the success or failure of the attack is detected based on the reference response message of the attack request text that successfully attacked the responding device.

[0111] It should also be understood that, since the reference response message for the attack request text is a verified attack request text capable of successfully attacking the responding device, the reference response message can be used to detect a successful attack on the request text to be detected. Specifically, the process of using the reference response message to detect a successful attack on the request text to be detected is as follows.

[0112] In one possible implementation, the electronic device determines that the request text to be detected has successfully attacked the response device based on the first response message and a reference response message of the attack request text, including at least one of the following: if the first response message contains multiple fields of a specified format using regular expressions, the electronic device determines that the request text to be detected has successfully attacked the response device, wherein the multiple fields of the specified format are obtained from the reference response message; the electronic device extracts the attack semantic vector of the reference response message and the first semantic vector of the first response message; the electronic device determines the similarity between the first semantic vector and the attack semantic vector; if the similarity is greater than a preset similarity, the electronic device determines that the request text to be detected has successfully attacked the response device.

[0113] Optionally, the similarity in the above technical solution is cosine similarity or Euclidean distance.

[0114] In the above technical solution, the success of the attack on the response device is determined by the two methods described above. Specifically, when the format of the request text to be detected is relatively simple, regular expressions are used to search for multiple fields of a specified format (obtained from a reference response message) in the first response message of the request text to be detected, thus determining that the request text to be detected has successfully attacked the response device. When the format of the request text to be detected is relatively complex, the similarity between the attack semantic vector of the reference response message and the first semantic vector of the first response message is used. If the similarity is greater than a preset similarity, the success of the attack on the response device is determined.

[0115] It should be understood that the "regular expression" in the above technical solution can be understood as using a single string to describe and match a series of strings that match a certain syntax rule. It is typically used to retrieve and replace text that conforms to a certain pattern (rule). Since the response message (reference response message) of a successfully attacked response device conforms to certain rules (has a specified format), regular expressions can be used to search whether the first response message of the request text to be detected contains multiple fields of the specified format. If the first response message contains multiple fields of the specified format, it is determined that the request text to be detected has successfully attacked the response device.

[0116] In one possible implementation, the electronic device extracts the attack semantic vector of the reference response message and the first semantic vector of the first response message, including: the electronic device extracts the attack semantic vector of the reference response message and the first semantic vector of the first response message through a semantic model.

[0117] The semantic model can be viewed as a Sentence-Transformer model, which converts text of different lengths (reference response messages or first response messages) into fixed-length embedding vectors; the semantic model can also be viewed as an Embedding model.

[0118] Figure 7 This is a schematic diagram of the structure of an apparatus for processing request text provided in an embodiment of this application.

[0119] For example, such as Figure 7 As shown, the device 700 includes:

[0120] The acquisition module 701 is used to acquire target request text from a sample request dataset, which includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text.

[0121] Processing module 702 is used for:

[0122] The target request text is input into the attack detection model, which performs multi-scale feature extraction based on the target request text to obtain features at multiple different scales. The features at multiple different scales are then fused to obtain fused features, and the detection result of the target request text is determined based on the fused features. The attack detection model is trained based on the loss value between the detection result and the annotation result of the target request text, which is used to indicate whether the target request text is an attack request text.

[0123] Optionally, the device 700 further includes a data enhancement module, configured to: perform data enhancement on the command attack text to obtain command attack enhanced text; and perform data enhancement on the non-attack request text based on the command attack enhanced text to obtain the attack request text.

[0124] Optionally, the data augmentation module is specifically used for at least one of the following: adding a first command field to the command attack text to obtain the command attack augmented text; updating the parameters of at least one command field in the command attack text to obtain the command attack augmented text; and deleting a second command field from the command attack text to obtain the command attack augmented text.

[0125] Optionally, the data augmentation module is further used for at least one of the following: nesting the command field in the command attack augmentation text within the non-attack request text to obtain the attack request text; replacing the request text in the non-attack request text with the command field in the command attack augmentation text to obtain the attack request text.

[0126] Figure 8This is a schematic diagram of the structure of an apparatus for processing request text provided in an embodiment of this application.

[0127] For example, such as Figure 8 As shown, the device 800 includes:

[0128] The input module 801 is used to input the request text to be detected into the attack detection model. The attack detection model is trained from the target request text in the sample request dataset. The sample request dataset includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text.

[0129] The extraction module 802 is used to perform multi-scale feature extraction on the request text to be detected by the attack detection model, so as to obtain features at multiple different scales.

[0130] The detection module 803 is used to fuse features of multiple different scales by the attack detection model to obtain fused features, and to perform attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text.

[0131] Optionally, the device 800 further includes: a determining module, configured to: determine a first response message for the request text to be detected if the request text to be detected is an attack request text; and determine, based on the first response message and a reference response message of the attack request text, that the request text to be detected has successfully attacked the response device, wherein the reference response message is a message obtained by the attack request text successfully attacking the response device, and the response device is the device that generated the first response message.

[0132] Optionally, the determining module is specifically used for at least one of the following: determining that the request text to be detected successfully attacks the response device when the first response message contains multiple fields of a specified format using regular expressions, wherein the multiple fields of the specified format are obtained from the reference response message; extracting the attack semantic vector of the reference response message and the first semantic vector of the first response message; determining the similarity between the first semantic vector and the attack semantic vector; and determining that the request text to be detected successfully attacks the response device when the similarity is greater than a preset similarity.

[0133] Figure 9 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.

[0134] For example, such as Figure 9As shown, the electronic device 900 includes: a memory 901, a processor 902, and a computer program 903 stored in the memory 901 and running on the processor 902, wherein when the processor 902 executes the computer program 903, the electronic device can perform any of the methods for processing request text described above.

[0135] This embodiment can divide the electronic device into functional modules according to the above method example. For example, each module can correspond to a separate functional module, or two or more functions can be integrated into one processing module. The integrated module can be implemented in hardware. It should be noted that the module division in this embodiment is illustrative and only represents one logical functional division. In actual implementation, there may be other division methods.

[0136] When each functional module is divided according to its corresponding function, the electronic device may include: an acquisition module, a processing module, an input module, an extraction module, a detection module, a data augmentation module, and a determination module, etc. It should be noted that all relevant content of each step involved in the above method embodiments can be referenced to the functional description of the corresponding functional module, and will not be repeated here.

[0137] The electronic device provided in this embodiment is used to execute the above-described method for processing request text, and thus can achieve the same effect as the above-described implementation method.

[0138] When using integrated units, the electronic device may include a processing module and a storage module. The processing module is used to control and manage the operation of the electronic device. The storage module is used for the electronic device to execute program code and data.

[0139] The processing module may be a processor or a controller, which can implement or execute various exemplary logic blocks, modules, and circuits as disclosed in this application. The processor may also be a combination of computing functions, such as a combination of one or more microprocessors, a combination of digital signal processing (DSP) and microprocessors, etc., and the storage module may be a memory.

[0140] This embodiment provides a computer-readable storage medium storing instructions that, when executed on a computer or processor, cause the computer or processor to perform any of the methods described above for processing request text.

[0141] This embodiment also provides a computer program product containing instructions that, when run on a computer or processor, causes the computer or processor to perform the aforementioned related steps to implement any of the methods for processing request text described above.

[0142] In this embodiment, the electronic device, computer-readable storage medium, computer program product containing instructions, or chip are all used to execute the corresponding methods provided above. Therefore, the beneficial effects they can achieve can be referred to the beneficial effects in the corresponding methods provided above, and will not be repeated here.

[0143] Through the above description of the embodiments, those skilled in the art will understand that, for the sake of convenience and brevity, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device can be divided into different functional modules to complete all or part of the functions described above.

[0144] In the embodiments provided in this application, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules or units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another device, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between devices or units may be electrical, mechanical, or other forms.

[0145] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for processing request text, characterized in that, The method includes: The target request text is obtained from the sample request dataset, which includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text. The target request text is input into the attack detection model, which performs multi-scale feature extraction based on the target request text to obtain multiple features at different scales. The multiple features at different scales are then fused to obtain fused features, and the detection result for the target request text is determined based on the fused features. The attack detection model is trained based on the loss value between the detection result and the annotation result of the target request text, wherein the annotation result is used to indicate whether the target request text is an attack request text. The method for data augmentation of the command attack text and the non-attack request text includes: The command attack text is augmented to obtain the command attack augmented text; The non-attack request text is augmented with data based on the command attack enhancement text to obtain the attack request text. The data augmentation of the command attack text to obtain command attack augmented text includes at least one of the following: A first command field is added to the command attack text to obtain the command attack enhanced text; The parameters of at least one command field in the command attack text are updated to obtain the command attack enhancement text; The second command field is deleted from the command attack text to obtain the command attack enhancement text; The process of data augmenting the non-attack request text based on the command attack augmentation text to obtain the attack request text includes at least one of the following: The command field in the command attack enhancement text is nested in the non-attack request text to obtain the attack request text; The attack request text is obtained by replacing the request text in the non-attack request text with the command field in the command attack enhancement text.

2. The method according to claim 1, characterized in that, The attack detection model extracts multiple features at different scales based on the target request text, including: The attack detection model converts the target request text into target word vectors, and uses convolutional kernels of different sizes to extract multi-scale features from the target word vectors, thereby obtaining features of multiple different scales.

3. The method according to claim 1, characterized in that, The process of fusing features at multiple different scales to obtain fused features includes: The features of multiple different scales are spliced ​​together in the channel direction to obtain the fused feature, and the number of channels of the fused feature is the sum of the number of channels of the multiple features of different scales.

4. A method for processing request text, characterized in that, The method includes: The request text to be detected is input into the attack detection model, which is trained from the target request text in the sample request dataset. The sample request dataset includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text. The attack detection model performs multi-scale feature extraction on the request text to be detected, resulting in features at multiple different scales. The attack detection model fuses features from multiple different scales to obtain fused features, and performs attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text. The method for data augmentation of the command attack text and the non-attack request text includes: The command attack text is augmented to obtain the command attack augmented text; The non-attack request text is augmented with data based on the command attack enhancement text to obtain the attack request text. The data augmentation of the command attack text to obtain command attack augmented text includes at least one of the following: A first command field is added to the command attack text to obtain the command attack enhanced text; The parameters of at least one command field in the command attack text are updated to obtain the command attack enhancement text; The second command field is deleted from the command attack text to obtain the command attack enhancement text; The process of data augmenting the non-attack request text based on the command attack augmentation text to obtain the attack request text includes at least one of the following: The command field in the command attack enhancement text is nested in the non-attack request text to obtain the attack request text; The attack request text is obtained by replacing the request text in the non-attack request text with the command field in the command attack enhancement text.

5. The method according to claim 4, characterized in that, The method further includes: If the request text to be detected is an attack request text, determine the first response message to the request text to be detected; Based on the first response message and the reference response message of the attack request text, it is determined that the request text to be detected successfully attacked the response device. The reference response message is the message obtained by the attack request text successfully attacking the response device. The response device is the device that generated the first response message.

6. The method according to claim 5, characterized in that, The determination that the request text to be detected successfully attacked the response device based on the reference response message of the first response message and the attack request text includes at least one of the following: If the first response message contains multiple fields of a specified format when searching using regular expressions, it is determined that the request text to be detected successfully attacked the response device, and the multiple fields of the specified format are obtained from the reference response message; Extract the attack semantic vector of the reference response message and the first semantic vector of the first response message; determine the similarity between the first semantic vector and the attack semantic vector; if the similarity is greater than a preset similarity, determine that the request text to be detected has successfully attacked the response device.

7. An apparatus for processing request text, characterized in that, The device includes: The acquisition module is used to acquire target request text from a sample request dataset, the sample request dataset including attack request text and non-attack request text, the attack request text being obtained by data augmentation of command attack text and the non-attack request text; Processing module, used for: The target request text is input into the attack detection model, which performs multi-scale feature extraction based on the target request text to obtain multiple features at different scales. The multiple features at different scales are then fused to obtain fused features, and the detection result for the target request text is determined based on the fused features. The attack detection model is trained based on the loss value between the detection result and the annotation result of the target request text, wherein the annotation result is used to indicate whether the target request text is an attack request text. The device also includes a data enhancement module, used to: enhance the command attack text to obtain enhanced command attack text; and enhance the non-attack request text based on the enhanced command attack text to obtain the attack request text. The data augmentation module is specifically used for at least one of the following: adding a first command field to the command attack text to obtain the command attack augmented text; updating the parameters of at least one command field in the command attack text to obtain the command attack augmented text; and deleting a second command field from the command attack text to obtain the command attack augmented text. The data augmentation module is further used for at least one of the following: nesting the command field in the command attack augmentation text within the non-attack request text to obtain the attack request text; replacing the request text in the non-attack request text with the command field in the command attack augmentation text to obtain the attack request text.

8. An apparatus for processing request text, characterized in that, The device includes: The input module is used to input the request text to be detected into the attack detection model. The attack detection model is trained from the target request text in the sample request dataset. The sample request dataset includes attack request text and non-attack request text. The attack request text is obtained by data augmentation of the command attack text and the non-attack request text. The extraction module is used to perform multi-scale feature extraction on the request text to be detected by the attack detection model to obtain features at multiple different scales. The detection module is used to fuse features of multiple different scales by the attack detection model to obtain fused features, and to perform attack detection on the request text to be detected based on the fused features to determine whether the request text to be detected is an attack request text. The method for data augmentation of the command attack text and the non-attack request text includes: The command attack text is augmented to obtain the command attack augmented text; The non-attack request text is augmented with data based on the command attack enhancement text to obtain the attack request text. The data augmentation of the command attack text to obtain command attack augmented text includes at least one of the following: A first command field is added to the command attack text to obtain the command attack enhanced text; The parameters of at least one command field in the command attack text are updated to obtain the command attack enhancement text; The second command field is deleted from the command attack text to obtain the command attack enhancement text; The process of data augmenting the non-attack request text based on the command attack augmentation text to obtain the attack request text includes at least one of the following: The command field in the command attack enhancement text is nested in the non-attack request text to obtain the attack request text; The attack request text is obtained by replacing the request text in the non-attack request text with the command field in the command attack enhancement text.

9. The apparatus according to claim 8, characterized in that, The device further includes a determination module, configured to: determine a first response message for the request text to be detected if the request text to be detected is an attack request text; and determine, based on the first response message and a reference response message of the attack request text, that the request text to be detected has successfully attacked the response device, wherein the reference response message is a message obtained by the attack request text successfully attacking the response device, and the response device is the device that generated the first response message.

10. The apparatus according to claim 9, characterized in that, The determining module is specifically used for at least one of the following: when the first response message contains multiple fields of a specified format using regular expressions, determining that the request text to be detected has successfully attacked the response device, wherein the multiple fields of the specified format are obtained from the reference response message; extracting the attack semantic vector of the reference response message and the first semantic vector of the first response message; determining the similarity between the first semantic vector and the attack semantic vector; and determining that the request text to be detected has successfully attacked the response device if the similarity is greater than a preset similarity.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores instructions that, when executed on a computer or processor, cause the computer or processor to perform the method for processing request text as described in any one of claims 1 to 6.

12. An electronic device, characterized in that, The device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the computer program, it causes the electronic device to perform the method for processing request text as described in any one of claims 1 to 6.