A method and apparatus for detecting injection attacks
By fusing semantic encoding of network addresses and word vector features to train the detection model, the problem of false positives in Web attack detection in existing technologies is solved, and the detection accuracy and interpretability are improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM NETWORK SECURITY TECH CO LTD
- Filing Date
- 2024-11-13
- Publication Date
- 2026-06-30
AI Technical Summary
Existing web attack detection methods are prone to misjudgment in network application firewalls, leading to operational and maintenance difficulties. Furthermore, machine learning models lack the utilization of URL semantic information, resulting in insufficient detection accuracy.
By combining semantic encoding and word vector features of network addresses, a detection model is trained to improve the model's ability to understand network addresses and achieve more accurate injection attack detection.
It improves the accuracy of injection attack detection, reduces false alarms, lowers model complexity, and enhances the interpretability of the detection model.
Smart Images

Figure CN119420562B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computer technology, and in particular to a method and apparatus for detecting injection attacks. Background Technology
[0002] Most companies today offer web services on the public internet. While this openness provides convenience, it also makes web services more vulnerable to hacker attacks. Injection attacks are one of the main threats facing web applications.
[0003] Currently, web attack detection is primarily integrated into Web Application Firewalls (WAFs) to perform real-time monitoring of web traffic. This includes data-driven detection methods; feature extraction and detection using machine learning models; and anomaly detection using unsupervised learning. However, all of these methods are prone to false positives, making them inconvenient for daily operation and maintenance.
[0004] Therefore, how to improve the accuracy of injection attack detection is an urgent problem to be solved. Summary of the Invention
[0005] This invention provides an injection attack detection method and apparatus, which combines semantic information of network addresses with word vector features before threat detection, thereby improving the detection model's ability to understand network addresses and thus improving the accuracy of injection attack detection.
[0006] In a first aspect, embodiments of the present invention provide an injection attack detection method, comprising:
[0007] Obtain the network address to be detected;
[0008] The network address to be detected is input into the detection model, and the detection result of the network address to be detected is obtained by the detection model output; the detection model is trained based on the fusion of the semantic encoding of the network address and the word vector features of the network address, and the detection result represents whether the network address to be detected is malicious;
[0009] If the detection result indicates that the network address to be detected is malicious, an alarm is triggered.
[0010] In the above technical solution, the network address to be detected can be obtained from network traffic data. The detection model is trained based on the fusion of the semantic encoding and word vector features of the network address, that is, combining the semantic information and word vector information of the network address for detection. The detection result can be a classification result of the network address, classifying the network address as aggressive or non-aggressive. Therefore, the detection result characterizes whether the network address to be detected is aggressive. If the detection result indicates that it is aggressive, an alert is sent to monitoring personnel, thereby improving the accuracy of injection attack detection.
[0011] Optionally, the detection model is trained based on the fusion of semantic encoding and word vector features of network addresses, including:
[0012] Obtain a set of network addresses, which includes both malicious and non-malicious network addresses;
[0013] The network addresses in the network address set are preprocessed to obtain the training set;
[0014] For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address.
[0015] Feature extraction is performed on different characters in the preprocessed network address, and then quantized to obtain the word vector features of the preprocessed network address;
[0016] The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model.
[0017] In the above technical solution, the network addresses in the network address set can be those from attack traffic logs and normal traffic logs, or they can be network addresses from public datasets and real online traffic data, or even manually constructed attack network addresses. The preprocessed network addresses are encoded and feature-extracted separately to obtain the semantic encoding and word vector features of each preprocessed network address. The detection model is then trained based on the semantic encoding and word vector features of each preprocessed network address. This improves the detection model's ability to understand network addresses, thereby enhancing the accuracy of injection attack detection.
[0018] Optionally, the network addresses in the network address set are preprocessed, including:
[0019] For any network address in the network address set, the network address is decoded, and the first character in the network address is filtered to obtain a filtered network address; the first character indicates a character in the network address that cannot constitute an attack.
[0020] Based on regular expression extraction, the filtered network addresses are segmented and generalized to obtain preprocessed network addresses.
[0021] In the above technical solution, after preprocessing the network address, the hidden characters will be displayed, reducing the size of the dictionary and the complexity of the model.
[0022] Optionally, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address, including:
[0023] Calculate the type encoding of characters in the preprocessed network address to obtain different types of structure location encoding; the type includes resource path, identifier, parameter name, and parameter value;
[0024] The characters in the preprocessed network address are encoded based on their type to obtain the relative position encoding of different characters;
[0025] Based on the type of different characters in the preprocessed network address, the relative position encoding of the different characters is added to the structural position encoding of the different types to obtain the semantic encoding of the preprocessed network address.
[0026] Optionally, the neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain a detection model, including:
[0027] Based on the semantic encoding of each preprocessed network address in the training set, the semantic embedding matrix of each preprocessed network address in the training set is calculated.
[0028] Based on the word vector features of each preprocessed network address in the training set, the word vector embedding matrix of each preprocessed network address in the training set is calculated.
[0029] The semantic embedding matrix of each preprocessed network address in the training set and the word vector embedding matrix are fused together to train the neural network model, thereby obtaining the detection model.
[0030] Secondly, embodiments of the present invention provide an injection attack detection device, comprising:
[0031] The acquisition module is used to acquire the network address to be detected;
[0032] The processing module is used to input the network address to be detected into the detection model and obtain the detection result of the network address to be detected output by the detection model; the detection model is trained based on the fusion of the semantic encoding of the network address and the word vector features of the network address, and the detection result characterizes whether the network address to be detected is malicious;
[0033] If the detection result indicates that the network address to be detected is malicious, an alarm is triggered.
[0034] Optionally, the processing module is specifically used for:
[0035] Obtain a set of network addresses, which includes both malicious and non-malicious network addresses;
[0036] The network addresses in the network address set are preprocessed to obtain the training set;
[0037] For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address.
[0038] Feature extraction is performed on different characters in the preprocessed network address, and then quantized to obtain the word vector features of the preprocessed network address;
[0039] The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model.
[0040] Optionally, the processing module is specifically used for:
[0041] For any network address in the network address set, the network address is decoded, and the first character in the network address is filtered to obtain a filtered network address; the first character indicates a character in the network address that cannot constitute an attack.
[0042] Based on regular expression extraction, the filtered network addresses are segmented and generalized to obtain preprocessed network addresses.
[0043] Optionally, the processing module is specifically used for:
[0044] Calculate the type encoding of characters in the preprocessed network address to obtain different types of structure location encoding; the type includes resource path, identifier, parameter name, and parameter value;
[0045] The characters in the preprocessed network address are encoded based on their type to obtain the relative position encoding of different characters;
[0046] Based on the type of different characters in the preprocessed network address, the relative position encoding of the different characters is added to the structural position encoding of the different types to obtain the semantic encoding of the preprocessed network address.
[0047] Optionally, the processing module is specifically used for:
[0048] Based on the semantic encoding of each preprocessed network address in the training set, the semantic embedding matrix of each preprocessed network address in the training set is calculated.
[0049] Based on the word vector features of each preprocessed network address in the training set, the word vector embedding matrix of each preprocessed network address in the training set is calculated.
[0050] The semantic embedding matrix of each preprocessed network address in the training set and the word vector embedding matrix are fused together to train the neural network model, thereby obtaining the detection model.
[0051] Thirdly, embodiments of the present invention also provide a computer device, comprising:
[0052] Memory, used to store program instructions;
[0053] The processor is used to call the program instructions stored in the memory and execute the above-mentioned injection attack detection method according to the obtained program.
[0054] Fourthly, embodiments of the present invention also provide a computer-readable storage medium storing computer-executable instructions for causing a computer to execute the above-described injection attack detection method.
[0055] Fifthly, embodiments of the present invention also provide a computer program product, the computer program product including an executable program, which is executed by a processor using the above-described injection attack detection method. Attached Figure Description
[0056] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0057] Figure 1 A schematic diagram of a system architecture provided for an embodiment of the present invention;
[0058] Figure 2 This is a flowchart illustrating an injection attack detection method provided in an embodiment of the present invention.
[0059] Figure 3 A schematic diagram of a relative position encoding provided in an embodiment of the present invention;
[0060] Figure 4 This is a schematic diagram of an injection attack detection device provided in an embodiment of the present invention. Detailed Implementation
[0061] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.
[0062] The application scenarios described in this application are for the purpose of more clearly illustrating the technical solutions protected by the embodiments of this application, and do not constitute a limitation on the technical solutions provided by the embodiments of this application. Those skilled in the art will understand that with the emergence of new application scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems. The terms "first" and "second" in the specification, claims, and accompanying drawings of this application are used to distinguish different objects, not to describe a specific order. In the description of this application, unless otherwise stated, "multiple" means two or more.
[0063] Before introducing the injection attack detection method provided in the embodiments of this application, for ease of understanding, the background technology and terminology involved in the embodiments of this application will be introduced below.
[0064] Position Embedding: Position embedding is an additional embedding vector used to represent the positional information of each location in the input sequence. In Transformer, position embedding uses different mathematical functions (such as sine and cosine functions) to map the positional information to a continuous vector space.
[0065] Transformer: This model, proposed by Google, is a neural network model based on a self-attention mechanism for processing sequential data. It contains multiple encoder and decoder layers, each consisting of multiple attention mechanism modules and feedforward neural network modules.
[0066] Self-attention mechanism: The core of the Transformer model is the self-attention mechanism, which assigns a weight to each position in each input sequence and then outputs these weighted position vectors.
[0067] URL (Uniform Resource Locator): On the WWW, every information resource has a unique address on the network, which is called a URL. It is the Uniform Resource Locator of the WWW, that is, a network address.
[0068] Today, most companies provide web services on the public internet. While this openness offers convenience, it also makes them more vulnerable to hacker attacks. According to an OWASP report, injection attacks are one of the major threats facing web applications, such as cross-site scripting (XSS), SQL injection, and server-side code injection. Once a hacker successfully breaches the system, enterprises face the threat of sensitive data leakage and service unavailability. Therefore, web attack detection has become an important means of addressing cybersecurity issues.
[0069] Currently, web attack detection is primarily integrated into Web Application Firewalls (WAFs) for real-time web traffic monitoring. Traditional WAFs are often experience-driven, relying mainly on rules written by security experts. While these rules are generally more effective and easier to use, their ability to detect unknown attacks is limited, and rule maintenance requires significant manpower. Recently, some WAF vendors have begun using data-driven solutions, such as Libinjection for SQL injection detection. This approach uses syntax trees for feature extraction, learning malicious features from attack samples for detection. Many studies also utilize machine learning models for feature extraction and detection, such as deep learning models like CNNs and LSTMs for attack detection and classification, achieving good results. Other literature proposes using unsupervised learning for anomaly detection, such as using Hidden Markov Models or Seq2Seq models to reconstruct URLs and detect anomalies in requests. Compared to rule-based detection based on regular expressions, machine learning models offer better generalization performance and a higher probability of detecting unknown threats; however, existing machine learning detection solutions all have some problems in practical applications.
[0070] 1. Failure to utilize URL semantic information can easily lead to false alarms, which is detrimental to daily operation and maintenance;
[0071] 2. Most machine learning models are black-box methods with poor interpretability;
[0072] Figure 1An exemplary system architecture applicable to an embodiment of the present invention is shown. The system architecture includes a server 100, which may include a processor 110, a communication interface 120, and a memory 130.
[0073] The communication interface 120 is used for data transmission.
[0074] The processor 110 is the control center of the server 100, connecting various parts of the server 100 through various interfaces and routes. It performs various functions and processes data by running or executing software programs and / or modules stored in the memory 130, and by calling data stored in the memory 130. Optionally, the processor 110 may include one or more processing units.
[0075] The memory 130 can be used to store software programs and modules. The processor 110 executes various functional applications and data processing by running the software programs and modules stored in the memory 130. The memory 130 may mainly include a program storage area and a data storage area. The program storage area may store the operating system, at least one application program required for a function, etc.; the data storage area may store data created according to business processing, etc. In addition, the memory 130 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device, flash memory device, or other volatile solid-state storage device.
[0076] It should be noted that the above Figure 1 The structure shown is merely an example, and the embodiments of the present invention are not limited thereto.
[0077] Based on the above description Figure 2 An exemplary flowchart of an injection attack detection method provided by an embodiment of the present invention is shown, which can be executed by an injection attack detection device.
[0078] like Figure 2 As shown, the process specifically includes:
[0079] Step 210: Obtain the network address to be detected.
[0080] In this embodiment of the invention, the network address to be detected may be obtained from network traffic data, and no specific limitation is made on the method of obtaining the network address.
[0081] Step 220: Input the network address to be detected into the detection model to obtain the detection result of the network address to be detected output by the detection model; the detection model is trained based on the fusion of the semantic encoding of the network address and the word vector features of the network address, and the detection result characterizes whether the network address to be detected is malicious.
[0082] In this embodiment of the invention, after obtaining the network address to be detected, the network address is input into the detection model to obtain the detection result. The detection model is trained based on the fusion of the semantic encoding and word vector features of the network address, combining the semantic information and word vector information of the network address for detection. The detection result can be a classification result of the network address to be detected, classifying the network address as aggressive or non-aggressive; therefore, the detection result can characterize whether the network address to be detected is aggressive. In some embodiments, the detection result can also be an aggression score of the network address to be detected; if the aggression score exceeds a threshold, it indicates that the network address is aggressive. Therefore, the content of the detection result is not specifically limited here, as long as it can characterize whether the network address is aggressive.
[0083] The method for establishing the detection model specifically includes: obtaining a set of network addresses. This set includes both malicious and non-malicious network addresses. For example, the network addresses in the set can be those from attack traffic logs and normal traffic logs, or they can be network addresses from public datasets and real online traffic data, or artificially constructed attack network addresses. It is understood that the detection method in this invention primarily targets network addresses; therefore, the acquired training data must ensure that the attack payload is located within a network address.
[0084] Then, the network addresses in the network address set are preprocessed to obtain the training set. Specifically, for any network address in the network address set, the network address is decoded, and the first character of the network address is filtered to obtain the filtered network address. The decoding method can include one or more of the following: Base64 decoding, URL decoding, HTML decoding, and Unicode decoding. For example, the original network address [ / test?i=1234&v=abMTAgYW5kIDE9MQ==&e=test] is decoded to obtain the decoded network address [ / test?i=1234&v=ab10 and 1=1&e=test]. It can be understood that decoding the network address can restore the attack fragment information in the network address to the greatest extent. The first character indicates a character in the network address that cannot constitute an attack. Filtering out the first character in the network address can reduce the subsequent computational resource consumption.
[0085] Then, based on regular extraction, the filtered network addresses are segmented and generalized to obtain the preprocessed network addresses. Specifically, the filtered network addresses are segmented based on regular extraction, and special characters among them are generalized. Exemplarily, the regular expressions used include special characters, character-digit combinations, hexadecimal-encoded strings, Chinese characters, etc. The generalization rules are shown in the following table:
[0086]
[0087]
[0088] For example, after generalizing the request fragment [v = ab10 and 1 = 1\x42你好] according to the above table, it becomes: v = ab10and <num> = <num> <hex> <chinese>It's understandable that generalizing to special strings can reduce the dictionary size and lower model complexity. The general syntax of a network address is: [protocol type]: / / [server address]:[port number] / [resource level UNIX file path][filename]? [query]#[fragment ID]. After preprocessing, the final format is [resource path]? [parameter name]=[parameter value]&[parameter name]=[parameter value].
[0089] For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address. Specifically, the encoding of the type of characters in the preprocessed network address is calculated to obtain the structural position encoding of different types. As shown above, the types in the preprocessed network address include resource path, identifier, parameter name, and parameter value. Identifiers refer to the structural separators in the network address: [?, =, &], etc. For example, the arrays corresponding to the four types are [path, flag, args_name, args_value], and the structural position encoding of each type is shown in the following formula:
[0090] pos structure =2 10·n
[0091] Where, pos structure The structure location encoding is denoted by n, where n is the index of the type in the array. For example, if the index of the resource path in the array is 0, its structure location encoding is 2^(10·0)=1.
[0092] Then, based on the type of each character in the preprocessed network address, the characters in the preprocessed network address are encoded to obtain the relative position codes of different characters. The position codes for different types of characters are calculated starting from 0. For example, such as... Figure 3 As shown, Figure 3 This is a schematic diagram illustrating a relative position encoding method as exemplarily provided in an embodiment of the present invention. For example, the network address [ / test? i=1234&v=ab10 and 1=1&e=test], after being generalized through word segmentation, becomes [ / ,test,? ,i= <num>,v,=,ab10,and, <num> ,=, <num>[e,=,test]. The figure shows the result of relative position encoding of the network address after the above word segmentation generalization. In the figure, circles represent the encoding of characters of type identifier, squares represent the encoding of characters of type resource path, diamonds represent the encoding of characters of type parameter name, and triangles represent the encoding of characters of type parameter value.
[0093] Based on the type of different characters in the preprocessed network address, the relative positional encoding of each character is added to the structural positional encoding of the different types to obtain the semantic encoding of the preprocessed network address. Specifically, the relative positional encoding of characters of type identifier is added to the structural positional encoding of identifier; the relative positional encoding of characters of type resource path is added to the structural positional encoding of resource path; the relative positional encoding of characters of type parameter name is added to the structural positional encoding of parameter name; and the relative positional encoding of characters of type parameter value is added to the structural positional encoding of parameter value.
[0094] Then, features are extracted from different characters in the preprocessed network address and quantized to obtain the word vector features of the preprocessed network address.
[0095] Finally, the neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model. Specifically, the semantic embedding matrix of each preprocessed network address in the training set is calculated based on its semantic encoding. For example, the semantic embedding matrix is calculated using the following formula:
[0096]
[0097] Where, pos semantic This is the semantic encoding of the network address, where i is the dimension of the embedding vector, and d is the semantic encoding of the network address. model This represents the total dimension of the embedding vector. The total dimension of the embedding vector is a value set empirically, such as 128 or 512; no specific limit is imposed on the total dimension here.
[0098] Based on the word vector features of each preprocessed network address in the training set, the word vector embedding matrix of each preprocessed network address in the training set is calculated.
[0099] The semantic embedding matrices and word embedding matrices of preprocessed network addresses in the training set are fused together to train the neural network model, resulting in a detection model. For example, after fusing the semantic embedding matrices and word embedding matrices of preprocessed network addresses in the training set, a multi-layer transformer encoder is used to extract features, followed by prediction through a classification layer. The transformer neural network model is then trained and its parameters are adjusted to obtain the detection model.
[0100] Step 230: If the detection result indicates that the network address to be detected is malicious, an alarm is triggered.
[0101] In this embodiment of the invention, after obtaining the detection result of the network address to be detected, if the detection result indicates that the network address to be detected is malicious, an alarm is triggered. If the detection result indicates that the network address to be detected is not malicious, the next network address to be detected is then detected.
[0102] In this embodiment of the invention, by combining the semantic encoding of network addresses and word vector features for model training, a detection model is obtained, which improves the detection model's understanding of the structure of network addresses and enhances the accuracy of injection attack detection.
[0103] Based on the same technological concept Figure 4 An exemplary schematic diagram of an injection attack detection device provided in an embodiment of the present invention is shown. This device can execute the process of an injection attack detection method.
[0104] like Figure 4 As shown, the device specifically includes:
[0105] Module 410 is used to obtain the network address to be detected;
[0106] The processing module 420 is used to input the network address to be detected into the detection model and obtain the detection result of the network address to be detected output by the detection model; the detection model is trained based on the fusion of the semantic encoding of the network address and the word vector features of the network address, and the detection result characterizes whether the network address to be detected is malicious;
[0107] If the detection result indicates that the network address to be detected is malicious, an alarm is triggered.
[0108] Optionally, the processing module 420 is specifically used for:
[0109] Obtain a set of network addresses, which includes both malicious and non-malicious network addresses;
[0110] The network addresses in the network address set are preprocessed to obtain the training set;
[0111] For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address.
[0112] Feature extraction is performed on different characters in the preprocessed network address, and then quantized to obtain the word vector features of the preprocessed network address;
[0113] The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model.
[0114] Optionally, the processing module 420 is specifically used for:
[0115] For any network address in the network address set, the network address is decoded, and the first character in the network address is filtered to obtain a filtered network address; the first character indicates a character in the network address that cannot constitute an attack.
[0116] Based on regular expression extraction, the filtered network addresses are segmented and generalized to obtain preprocessed network addresses.
[0117] Optionally, the processing module 420 is specifically used for:
[0118] Calculate the type encoding of characters in the preprocessed network address to obtain different types of structure location encoding; the type includes resource path, identifier, parameter name, and parameter value;
[0119] The characters in the preprocessed network address are encoded based on their type to obtain the relative position encoding of different characters;
[0120] Based on the type of different characters in the preprocessed network address, the relative position encoding of the different characters is added to the structural position encoding of the different types to obtain the semantic encoding of the preprocessed network address.
[0121] Optionally, the processing module 420 is specifically used for:
[0122] Based on the semantic encoding of each preprocessed network address in the training set, the semantic embedding matrix of each preprocessed network address in the training set is calculated.
[0123] Based on the word vector features of each preprocessed network address in the training set, the word vector embedding matrix of each preprocessed network address in the training set is calculated.
[0124] The semantic embedding matrix of each preprocessed network address in the training set and the word vector embedding matrix are fused together to train the neural network model, thereby obtaining the detection model.
[0125] Based on the same technical concept, embodiments of the present invention also provide a computer device, including:
[0126] Memory, used to store program instructions;
[0127] The processor is used to call the program instructions stored in the memory and execute the above-mentioned injection attack detection method according to the obtained program.
[0128] Based on the same technical concept, embodiments of the present invention also provide a computer-readable storage medium storing computer-executable instructions, which are used to cause a computer to execute the above-described injection attack detection method.
[0129] Based on the same technical concept, this invention also provides a computer program product, characterized in that the computer program product includes an executable program, which is executed by a processor using the above-described injection attack detection method.
[0130] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0131] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0132] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0133] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0134] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.< / num> < / num> < / num> < / chinese> < / hex> < / num> < / num>
Claims
1. A method for detecting injection attacks, characterized in that, include: Obtain the network address to be detected; Input the network address to be detected into the detection model, and obtain the detection result of the network address to be detected output by the detection model; The detection model is trained based on the fusion of semantic encoding and word vector features of network addresses, and the detection result characterizes whether the network address to be detected is malicious. If the detection result indicates that the network address to be detected is malicious, an alarm is triggered; The detection model is trained based on the fusion of semantic encoding and word vector features of network addresses, and includes: Obtain a set of network addresses, which includes both malicious and non-malicious network addresses; The network addresses in the network address set are preprocessed to obtain the training set; For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address. The semantic encoding of the preprocessed network address is based on the relative position encoding of each type of character in the network address and the absolute position encoding of each character's type. Feature extraction is performed on different characters in the preprocessed network address, and then quantized to obtain the word vector features of the preprocessed network address; The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model; The semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address, including: Calculate the type encoding of characters in the preprocessed network address to obtain different types of structure location encoding; the type includes resource path, identifier, parameter name, and parameter value; The characters in the preprocessed network address are encoded based on their type to obtain the relative position encoding of different characters; Based on the type of different characters in the preprocessed network address, the relative position encoding of the different characters is added to the structural position encoding of the different types to obtain the semantic encoding of the preprocessed network address.
2. The method as described in claim 1, characterized in that, Preprocessing the network addresses in the network address set includes: For any network address in the network address set, the network address is decoded, and the first character in the network address is filtered to obtain a filtered network address; the first character indicates a character in the network address that cannot constitute an attack. Based on regular expression extraction, the filtered network addresses are segmented and generalized to obtain preprocessed network addresses.
3. The method as described in claim 1, characterized in that, The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain a detection model, including: Based on the semantic encoding of each preprocessed network address in the training set, the semantic embedding matrix of each preprocessed network address in the training set is calculated. Based on the word vector features of each preprocessed network address in the training set, the word vector embedding matrix of each preprocessed network address in the training set is calculated. The semantic embedding matrix of each preprocessed network address in the training set and the word vector embedding matrix are fused together to train the neural network model, thereby obtaining the detection model.
4. An injection attack detection device, characterized in that, include: The acquisition module is used to acquire the network address to be detected; The processing module is used to input the network address to be detected into the detection model and obtain the detection result of the network address to be detected output by the detection model; the detection model is trained based on the fusion of the semantic encoding of the network address and the word vector features of the network address, and the detection result characterizes whether the network address to be detected is malicious; If the detection result indicates that the network address to be detected is malicious, an alarm is triggered; Optionally, the processing module is specifically used for: Obtain a set of network addresses, which includes both malicious and non-malicious network addresses; The network addresses in the network address set are preprocessed to obtain the training set; For any preprocessed network address in the training set, the semantic encoding of the preprocessed network address is obtained by encoding different characters in the preprocessed network address. The semantic encoding of the preprocessed network address is based on the relative position encoding of each type of character in the network address and the absolute position encoding of each character's type. Feature extraction is performed on different characters in the preprocessed network address, and then quantized to obtain the word vector features of the preprocessed network address; The neural network model is trained based on the semantic encoding and word vector features of the preprocessed network addresses in the training set to obtain the detection model; Optionally, the processing module is specifically used for: Calculate the type encoding of characters in the preprocessed network address to obtain different types of structure location encoding; the type includes resource path, identifier, parameter name, and parameter value; The characters in the preprocessed network address are encoded based on their type to obtain the relative position encoding of different characters; Based on the type of different characters in the preprocessed network address, the relative position encoding of the different characters is added to the structural position encoding of the different types to obtain the semantic encoding of the preprocessed network address.
5. A computer device, characterized in that, include: Memory, used to store program instructions; A processor is configured to invoke program instructions stored in the memory and execute the method according to any one of claims 1 to 3 in accordance with the obtained program.
6. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions for causing a computer to perform the method according to any one of claims 1 to 3.
7. A computer program product, characterized in that, The computer program product includes an executable program that is executed by a processor to implement the method of any one of claims 1 to 3.