Network-based security management and control method and system for different scenarios
By combining blacklist mechanisms, whitelist mechanisms, or SQL syntax tree analysis with neural network models in different scenarios, the problem of low SQL injection detection efficiency in scenarios with a large number of SQL access requests in a short period of time is solved, achieving fast response and efficient detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- OPEN ATOM OPEN SOURCE FOUNDATION
- Filing Date
- 2025-06-16
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies are inefficient at detecting SQL injection when faced with a large number of SQL access requests in a short period of time, resulting in slow response times.
The system employs a first interception rule based on a blacklist mechanism, a whitelist mechanism, or SQL syntax tree analysis for initial detection. When the number of requests reaches a certain threshold, the request parameters are converted into grayscale images, and a trained neural network model is used for binary classification reasoning to quickly detect SQL injection behavior with multiple request parameters.
In scenarios involving a large number of SQL access requests within a short period of time, this technology accelerates response times, improves SQL injection detection efficiency, reduces computational load, and enhances detection accuracy and speed.
Smart Images

Figure CN120915482B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security protection technology, and in particular to a network security management method and system based on different scenarios. Background Technology
[0002] In web applications, user input data is passed to the backend database via the frontend page, and the backend database uses this input data to construct SQL queries. SQL injection is a hacking technique used to attack websites. It exploits vulnerabilities in the website's code to secretly insert malicious code into database queries, aiming to bypass login verification, steal data, or even control the database.
[0003] Relatively mature SQL injection detection solutions are already available in related technologies, including whitelisting or blacklisting mechanisms and SQL syntax tree analysis. Whitelisting mechanisms use regular expressions to define a "safe character set" for input, allowing users to input only content deemed "safe" and rejecting any input that does not conform to the whitelist rules. For example, only letters, numbers, and underscores are allowed. Blacklisting mechanisms use regular expressions to match dangerous characters or keywords to prevent users from inputting data containing malicious content. For example, regular expressions might filter out common SQL injection characters or key phrases such as --, ;, 'OR', and '1=1'. SQL syntax tree analysis parses SQL statements into a syntax tree structure, then traverses and analyzes key nodes (such as OR and AND) to detect the presence of injection behaviors (such as redundant conditions or bypass logic). For example, a tree has a root node SELECT, below which are FROM and WHERE subtrees. The WHERE subtree further branches into logical nodes OR, which then branch down to two conditions: username = 'admin' and '1' = '1'. When traversing to these two conditions under the OR logical node, username = 'admin' and '1' = '1', it is determined that an injection has occurred.
[0004] The SQL injection detection solutions described above are effective when dealing with a small number of SQL access requests within a short period. However, when faced with a large number of SQL access requests within a short period, the detection efficiency is low, leading to slow response times. Therefore, different SQL injection detection solutions are needed for different scenarios. Summary of the Invention
[0005] The purpose of this invention is to at least solve one of the technical problems existing in the prior art, and to provide a network security management method and system based on different scenarios, which can provide corresponding SQL injection detection schemes for different scenarios, and can speed up the response speed to a large number of SQL access requests in a short period of time.
[0006] To achieve the above-mentioned objectives, the present invention provides the following technical solution:
[0007] Firstly, a network security management method based on different scenarios is provided, the method comprising:
[0008] When the number of elements in the pending response queue is less than a preset number, SQL injection detection is performed on each request parameter based on the first interception rule to obtain the SQL injection detection result; wherein, each element in the pending response queue is a received request parameter to be responded to; the first interception rule includes SQL injection detection based on blacklist mechanism or whitelist mechanism or SQL syntax tree analysis;
[0009] When the number of elements in the pending response queue reaches a preset number, SQL injection detection is performed on each request parameter simultaneously based on the second interception rule to obtain the SQL injection detection result. The second interception rule involves converting the preset number of elements in the pending response queue into sub-grayscale images according to a preset rule, stitching the sub-grayscale images together into a total grayscale image of a first preset size, and performing binary classification reasoning on the total grayscale image based on a trained target neural network model. Based on the result of the binary classification reasoning on the total grayscale image, the result of simultaneously performing SQL injection detection on multiple request parameters corresponding to the preset number of elements in the pending response queue is obtained.
[0010] Based on the SQL injection detection results obtained from the first or second interception rule and the request parameters to be responded to, the corresponding response operation is executed.
[0011] As a further improvement, the target neural network model is trained using multiple sets of training data. Each set of training data includes: a total grayscale image of a first preset size obtained by stitching together the sub-grayscale images after converting a set of preset number of request parameters into sub-grayscale images, and a label used to mark whether there is SQL injection behavior in the set of preset number of request parameters corresponding to the total grayscale image.
[0012] As a further improvement, the method also includes:
[0013] When the SQL injection detection result obtained based on the second interception rule indicates that there is SQL injection behavior in a set of preset number of request parameters corresponding to the total grayscale image, the total grayscale image is divided equally along the vertical axis of the image coordinate system to obtain two initial first-level grayscale images.
[0014] After expanding the two initial level-one grayscale images to the first preset size, two final level-one grayscale images are obtained.
[0015] Two final grayscale images of the first preset size are input into the trained target neural network for binary classification reasoning;
[0016] Based on the results of binary classification reasoning on the final first-level grayscale image, it is determined whether there is SQL injection behavior in the multiple request parameters corresponding to the two final first-level grayscale images.
[0017] As a further improvement, the step of converting a preset number of elements in the queue to be responded to into a sub-grayscale image according to a preset rule specifically includes:
[0018] The characters of the request parameters corresponding to each element in the queue to be responded to are encoded one by one according to the preset encoding table to obtain the encoding sequence;
[0019] Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained;
[0020] According to a preset strategy, the pixel values at corresponding positions in the template image of the second preset size are adjusted to be consistent with the grayscale value sequence to obtain the sub-grayscale image.
[0021] As a further improvement, the target neural network is a feedforward neural network, the first preset size is 1 pixel * M pixels, the second preset size corresponding to the sub-grayscale image is 1 pixel * N pixels, and the preset quantity is w; wherein, M, N, and w are all positive integer variables not less than 2, and M = w * N;
[0022] After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes:
[0023] Get the character length L of the request parameters corresponding to each element in the pending response queue;
[0024] Define the elements with character length L = N in the queue to be responded to as the first type of elements;
[0025] If the target string consisting of the last character of the first type of element in the response queue and the first character of the next element adjacent to the first type of element is detected as an abnormal combination, then all elements in the response queue are rearranged into a first intermediate sequence; wherein, the target string consisting of the last character of the first type of element in the first intermediate sequence and the first character of the next element adjacent to the first type of element is not an abnormal combination.
[0026] The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes:
[0027] Based on the arrangement order of each element in the first intermediate sequence, determine the arrangement order of the sub-grayscale images with a second preset size of 1 pixel * N pixels corresponding to each element;
[0028] According to the arrangement order of the sub-grayscale images, w sub-grayscale images are arranged sequentially along the horizontal axis from smallest to largest to obtain a total grayscale image with a first preset size of 1 pixel * M pixels; wherein, there are no gaps or overlapping areas between adjacent sub-grayscale images arranged from smallest to largest along the horizontal axis.
[0029] As a further improvement, the step of converting a preset number of elements in the queue to be responded to into a sub-grayscale image according to a preset rule specifically includes:
[0030] The characters of the request parameters corresponding to each element in the first intermediate sequence are encoded one by one according to the preset encoding table to obtain the encoding sequence;
[0031] Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained;
[0032] According to a preset strategy, the pixel values at corresponding positions in a template image of a second preset size are adjusted to match the grayscale value sequence to obtain the sub-grayscale image;
[0033] The preset strategy includes:
[0034] If the second preset size is 1 pixel * N pixels, then starting from the pixel with the smallest number in the image coordinate system where the template image is located, the gray values of each pixel in the template image are adjusted to the values corresponding to each element in the gray value sequence in ascending order of the numbers. If the length of the gray value sequence is less than N, then the gray values of pixels in the template image that do not correspond to the gray value sequence are set to default gray values. The default gray values are different from any value in the encoding table. The pixel number is the horizontal coordinate of the pixel. The number of pixels in the template image is not less than the length of the gray value sequence.
[0035] As a further improvement, the target neural network is a convolutional neural network, the first preset size is M pixels * M pixels, the second preset size corresponding to the sub-grayscale image is N pixels * N pixels, and the preset quantity is w; wherein, M, N, and w are all positive integer variables not less than 2, and w^(0.5) is a positive integer; and M*M=w*N*N;
[0036] After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes:
[0037] Get the character length L of the request parameters corresponding to each element in the pending response queue;
[0038] Elements with a character length L ≤ N*N-4*(N-1) in the queue to be responded to are defined as the second type of elements;
[0039] If the number of second-type elements in the queue to be responded to is not less than 0.5*w and the order k of the second-type elements in the queue to be responded to does not meet the following condition one, all elements in the queue to be responded to will be rearranged into a second intermediate sequence; wherein, when the order p of the second-type elements in the sequence obtained by rearranging all elements in the queue to be responded to meets the following condition two, the sequence is defined as the second intermediate sequence.
[0040] Condition 1: When kmod 2*w^(0.5)≤w^(0.5), k mod 2=1; when kmod 2*w^(0.5)>w^(0.5), k mod 2=0;
[0041] Condition 2: When p mod 2*w^(0.5)≤w^(0.5), p mod 2=1; when p mod 2*w^(0.5)>w^(0.5), p mod 2=0; where k and p are both positive integer variables; mod is the modulo operator;
[0042] The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes:
[0043] According to the arrangement order of each element in the second intermediate sequence, determine the arrangement order of the sub-grayscale images with a second preset size of N pixels * N pixels corresponding to each element;
[0044] The w sub-grayscale images are divided into w^(0.5) image groups; the sub-grayscale images in each image group are arranged in a continuous order; and the number of sub-grayscale images in each image group is the same.
[0045] For each image group, according to the arrangement order of the sub-grayscale images, w^(0.5) consecutive sub-grayscale images are arranged from smallest to largest along the horizontal axis to obtain an intermediate grayscale image of size N pixels * M pixels corresponding to each image group, and a total of w^(0.5) intermediate grayscale images of size N pixels * M pixels are obtained.
[0046] According to the image group numbers in ascending order, w^(0.5) intermediate grayscale images of size N pixels * M pixels are arranged in ascending order along the vertical axis to obtain a total grayscale image of the first preset size M pixels * M pixels; wherein, there are no gaps or overlapping areas between adjacent sub-grayscale images arranged in ascending order along the horizontal axis and in ascending order along the vertical axis; the image group number is the minimum value of the arrangement order of each sub-grayscale image contained in the image group.
[0047] As a further improvement, where w is an even number, the method further includes:
[0048] In the second intermediate sequence, the positions corresponding to the permutation order q that meets condition three are all set with elements of the second type;
[0049] Condition 3: q mod w^(0.5) = 1 and q mod w^(0.5) = (0.5 * w^(0.5) + 1) and q ≤ w^(0.5) and 0.5 * w < q ≤ 0.5 * w + w^(0.5); where q is a positive integer variable.
[0050] As a further improvement, the request parameters corresponding to the second type of elements in the second intermediate sequence are defined as the second type of request parameters.
[0051] The step of converting a preset number of elements in the second intermediate sequence into a sub-grayscale image according to a preset rule specifically includes:
[0052] The characters of the request parameters corresponding to each element in the queue to be responded to are encoded one by one according to the preset encoding table to obtain the encoding sequence;
[0053] Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained;
[0054] According to a preset strategy, the pixel values at corresponding positions in a template image of a second preset size are adjusted to match the grayscale value sequence to obtain the sub-grayscale image;
[0055] The preset strategy includes:
[0056] If the second preset size is N pixels * N pixels, for the second type of request parameter, starting from the smallest pixel in the specified area of the image coordinate system where the template image is located, the gray values of each pixel in the specified area are adjusted to the values corresponding to each element in the gray value sequence corresponding to the second type of request parameter in order from smallest to largest according to the pixel numbers in the specified area.
[0057] For other request parameters that do not belong to the second type of request parameters, starting from the pixel with the smallest number in the image coordinate system where the template image is located, adjust the gray value of each pixel in the template image in ascending order of the pixel numbers to the value corresponding to each element in the gray value sequence of the other request parameters that do not belong to the second type of request parameters.
[0058] Wherein, the pixel number is a two-digit number, with the tens digit being the x-coordinate and the units digit being the y-coordinate; the number of pixels in the specified area is not less than the length of the grayscale value sequence; the range of the pixel numbers a*10+b in the specified area meets the following condition four:
[0059] Condition 4: 1 < a < N and 1 < b < N; where a and b are both positive integer variables, a is the tens digit of the pixel number in the specified area, and b is the units digit of the pixel number in the specified area.
[0060] Secondly, the present invention also provides a network security management system based on different scenarios, comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program and performs the steps of the above-described network security management method based on different scenarios.
[0061] Beneficial Effects: Compared to existing technologies, the network security management method and system provided in this application, based on different scenarios, can offer corresponding SQL injection detection solutions for different scenarios and accelerate the response speed to large-scale SQL access requests in a short period of time. Specifically, the second interception rule can simultaneously obtain SQL injection detection results for multiple request parameters, thereby improving the efficiency of SQL injection detection. Since binary classification reasoning is used, the output dimensions are fewer, and compared to multi-dimensional reasoning, this embodiment requires less computation, thus resulting in faster reasoning speed.
[0062] Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. Attached Figure Description
[0063] The present invention will be further described below with reference to the accompanying drawings and embodiments;
[0064] Figure 1 This is a flowchart illustrating a network security management method based on different scenarios in one embodiment;
[0065] Figure 2 This is a flowchart illustrating a network security management method based on different scenarios in yet another embodiment;
[0066] Figure 3 This is a schematic diagram illustrating the principle of evenly dividing the total grayscale image along the vertical axis in one embodiment;
[0067] Figure 4 This is a schematic diagram illustrating the principle of expanding a primary grayscale image to a first preset size in one embodiment;
[0068] Figure 5 This is a flowchart illustrating the process of converting request parameters into a sub-grayscale image in one embodiment;
[0069] Figure 6 This is a schematic diagram illustrating the principle of converting request parameters into a sub-grayscale image in one embodiment;
[0070] Figure 7 This is a schematic diagram illustrating the principle of adjusting the queue to be responded to as the first intermediate sequence in one embodiment;
[0071] Figure 8 This is a schematic diagram illustrating the principle of stitching together individual grayscale images into a single grayscale image of a first preset size in one embodiment.
[0072] Figure 9 This is a schematic diagram illustrating the principle of converting request parameters into a sub-grayscale image in another embodiment;
[0073] Figure 10 This is a schematic diagram showing the numbering of each pixel in the template image corresponding to the sub-grayscale image in one embodiment;
[0074] Figure 11 This is a schematic diagram illustrating the principle of adjusting the queue to be responded to as the first intermediate sequence in another embodiment. Detailed Implementation
[0075] This section will describe in detail specific embodiments of the present invention. Preferred embodiments of the present invention are shown in the accompanying drawings. The purpose of the drawings is to supplement the textual description with graphics, so that people can intuitively and vividly understand each technical feature and overall technical solution of the present invention, but they should not be construed as limiting the scope of protection of the present invention.
[0076] In one embodiment, such as Figure 1 As shown, a network security management method based on different scenarios is provided, the method including:
[0077] In step S202, when the server detects that the number of elements in the pending response queue is less than a preset number, it performs SQL injection detection on each request parameter based on the first interception rule to obtain the SQL injection detection result. Here, each element in the pending response queue represents a received request parameter awaiting response; the first interception rule includes SQL injection detection based on a blacklist mechanism, a whitelist mechanism, or SQL syntax tree analysis.
[0078] In step S204, when the server detects that the number of elements in the response queue exceeds a preset number, it simultaneously performs SQL injection detection on each request parameter based on the second interception rule, obtaining the SQL injection detection result. The second interception rule involves converting the preset number of elements in the response queue into sub-grayscale images according to a preset rule, stitching the sub-grayscale images together into a total grayscale image of a first preset size, and performing binary classification inference on the total grayscale image based on a trained target neural network model. Based on the result of the binary classification inference on the total grayscale image, the server obtains the result of simultaneously performing SQL injection detection on multiple request parameters corresponding to the preset number of elements in the response queue.
[0079] Step S206: The server executes the corresponding response operation based on the SQL injection detection result obtained from the first or second interception rule and the request parameters to be responded to.
[0080] Specifically, when multiple clients access the database on the server simultaneously, the request parameters entered by users on the multiple clients are passed to the server through the front-end page. The server constructs SQL query statements based on the received request parameters, and then responds to these request parameters to operate the database. In one example, the server stores the received request parameters in a pending response queue. That is, each element in the pending response queue is a request parameter received from multiple clients, and request parameters that have been responded to are removed from the pending response queue.
[0081] In one example, the preset number is 64. When the number of elements in the response queue is less than 64, the server performs SQL injection detection on each request parameter according to the order in which they were added to the queue, based on the first interception rule. The specific first interception rule includes SQL injection detection based on a blacklist mechanism, a whitelist mechanism, or SQL syntax tree analysis. SQL injection detection based on blacklist mechanisms, whitelist mechanisms, or SQL syntax tree analysis are conventional techniques in this field and will not be elaborated here. When the number of elements in the response queue reaches 64, the server performs SQL injection detection on each request parameter simultaneously based on the second interception rule, obtaining the SQL injection detection result. Specifically, the second interception rule can obtain SQL injection detection results for multiple request parameters simultaneously, thereby improving the efficiency of SQL injection detection. It is understandable that, due to the use of binary classification reasoning, the output has fewer dimensions. Compared to multi-dimensional reasoning, this embodiment requires less computation and therefore has a faster reasoning speed. Therefore, this embodiment provides a network security management method based on different scenarios, which can provide corresponding SQL injection detection solutions for different scenarios and accelerate the response speed to a large number of SQL access requests in a short period of time.
[0082] Specifically, the target neural network model is trained using multiple sets of training data. Each set of training data includes: a total grayscale image of a first preset size obtained by stitching together sub-grayscale images after converting a preset number of request parameters into sub-grayscale images; and a label used to mark whether SQL injection behavior exists in the preset number of request parameters corresponding to the total grayscale image. The specific training process of the neural network model is prior art and will not be described in detail here.
[0083] Using a neural network model, multiple request parameters can be identified for SQL injection at once. For example, if the total grayscale image corresponding to 64 request parameters is input into the neural network model and the result shows no SQL injection behavior, then SQL injection detection for all 64 request parameters can be completed at once, eliminating the need for individual SQL injection detection and thus improving the response efficiency for these 64 request parameters. Therefore, this embodiment is more efficient for scenarios with a large number of requests in a short period. When only a small number of requests exist in a short period, the first interception rule will be triggered for injection detection, making the detection scheme provided in this embodiment applicable to various scenarios.
[0084] like Figure 2 As shown, in one embodiment, the method further includes:
[0085] Step S302: When the SQL injection detection result obtained based on the second interception rule indicates that there is SQL injection behavior in a set of preset number of request parameters corresponding to the total grayscale image, the total grayscale image is divided into two initial first-level grayscale images by average along the vertical axis of the image coordinate system.
[0086] Step S304: Expand the two initial first-level grayscale images to the first preset size to obtain two final first-level grayscale images.
[0087] Step S306: Input the two final grayscale images of the first preset size into the trained target neural network for binary classification reasoning.
[0088] Step S308: Based on the result of binary classification reasoning on the final first-level grayscale image, determine whether there is SQL injection behavior in the multiple request parameters corresponding to the two final first-level grayscale images.
[0089] Specifically, such as Figure 3 and Figure 4 As shown, the total grayscale image is plotted along the vertical axis of the image coordinate system (i.e., Figure 3 After dividing the image along the u-axis (in the image plane) into two initial first-level grayscale images, each image is then expanded to a first preset size to obtain two final first-level grayscale images. For example... Figure 4 As shown, in this embodiment, the preset number is 64, and the size of each sub-grayscale image is 5 pixels * 5 pixels. Therefore, the total grayscale image size is 40 pixels * 40 pixels, the size of the two initial first-level grayscale images is 20 pixels * 40 pixels, and the first preset size is 40 pixels * 40 pixels. Therefore, in this embodiment, expanding each initial first-level grayscale image to the first preset size specifically includes:
[0090] Make a copy of each initial level-one grayscale image to obtain a copy grayscale image with the same size and content as the original initial level-one grayscale image;
[0091] The copy grayscale image is stitched together with the original initial grayscale image to expand the initial grayscale image to a first preset size, and the stitched image is the final grayscale image.
[0092] like Figure 4 As shown, the final first-level grayscale image obtained by stitching only includes half of the 64 (i.e., the preset number) request parameters, namely the sub-grayscale images corresponding to the 32 request parameters. At the same time, since the size of the final first-level grayscale image after stitching is the same as the total grayscale image, the above-mentioned target neural network model can be directly used for binary classification reasoning. There is no need to train and use a new model. Only one model is needed to be applicable to the detection of SQL injection behavior with different numbers of request parameters, which is lower in cost and more versatile.
[0093] It should be noted that when the final first-level grayscale image is half of the preset number (64 in this embodiment), i.e., the image corresponding to 32 request parameters, and the result obtained after binary classification inference indicates that one of the final first-level grayscale images does not contain SQL injection behavior, then all 32 request parameters corresponding to that final first-level grayscale image are judged to be safe and can be responded to by the server to execute the corresponding response operation. If the other final first-level grayscale image contains SQL injection behavior, then the final first-level grayscale image is further divided equally along the horizontal axis of the image coordinate system to obtain two initial second-level grayscale images. Then, the two initial second-level grayscale images are expanded to a first preset size to obtain two final second-level grayscale images (similarly, each final second-level grayscale image corresponds to one-quarter of the preset number (64 in this embodiment), i.e., 16 request parameters). The two final second-level grayscale images of the first preset size are input into the trained target neural network for binary classification inference. Based on the result of binary classification inference, the detection result of whether SQL injection behavior exists in the two sets of 16 request parameters each can be obtained.
[0094] In one embodiment, such as Figure 5 As shown, the step of converting a preset number of elements in the response queue into sub-grayscale images according to preset rules specifically includes:
[0095] Step S402: Encode each character of the request parameter corresponding to each element in the queue to be responded to according to the preset encoding table to obtain the encoding sequence.
[0096] Step S404: Obtain the grayscale value sequence corresponding to each request parameter based on the encoded sequence.
[0097] Step S406: According to a preset strategy, adjust the pixel values at the corresponding positions in the template image of the second preset size to be consistent with the grayscale value sequence to obtain the sub-grayscale image.
[0098] Specifically, when encoding each character, the numerical value corresponding to each character is determined according to its ASCII code; that is, each character is represented by its corresponding decimal ASCII code as its grayscale value. For example, a request parameter containing the content "1'or 1=1--" contains 12 characters, including spaces. In this paper, the number of characters is defined as the character length L of the request parameter, meaning the character length of this request parameter is 12. Figure 6As shown, the grayscale value is determined by the decimal value corresponding to the ASCII code, resulting in the encoding sequence {49, 39, 32, 111, 114, 32, 49, 61, 49, 32, 45, 45}. The grayscale value sequence corresponding to the request parameter is directly set to be the same as the encoding sequence corresponding to the request parameter, i.e., the grayscale value sequence is also {49, 39, 32, 111, 114, 32, 49, 61, 49, 32, 45, 45}.
[0099] like Figure 6 As shown, in one example, the template image of the second preset size is a one-dimensional image with a length of 25 pixels (i.e., the size of the image is 1 pixel * 25 pixels), and the grayscale value sequence has a total of 12 elements. Therefore, the preset strategy is to adjust the grayscale values of the first 12 pixels in the one-dimensional template image to the values corresponding to each element in the grayscale value sequence in turn, while the grayscale values of the other pixels in the one-dimensional template image are all set to 0 by default.
[0100] like Figure 6 As shown, in one example, the template image of the second preset size is a two-dimensional image with a size of 5 pixels * 5 pixels, and the gray value sequence has a total of 12 elements. Therefore, the preset strategy is to adjust the gray values of the first 12 pixels in the two-dimensional template image to the values corresponding to each element in the gray value sequence in turn, while the gray values of the other pixels in the one-dimensional template image are all set to 0 by default.
[0101] Example 1:
[0102] In one embodiment, the target neural network is a feedforward neural network, the first preset size is 1 pixel * M pixels, the second preset size corresponding to the sub-grayscale image is 1 pixel * N pixels, and the preset quantity is w; wherein M, N, and w are all positive integer variables not less than 2, and M = w * N;
[0103] After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes:
[0104] Step S502: Obtain the character length L of the request parameters corresponding to each element in the queue to be responded to.
[0105] Step S504: Define the elements with character length L = N in the queue to be responded to as first-class elements.
[0106] Step S506: If the target string consisting of the last character of the first type of element in the response queue and the first character of the next element adjacent to the first type of element is detected as an abnormal combination, then all elements in the response queue are rearranged into a first intermediate sequence; wherein the target string consisting of the last character of the first type of element in the first intermediate sequence and the first character of the next element adjacent to the first type of element is not an abnormal combination.
[0107] For example, if neither the request parameters corresponding to a certain first-class element nor the next element in the vector of that first-class element contain any injection behavior, but the target string formed by the last character of the first-class element and the first character of the next adjacent element is "--" or "or", it may be misjudged as having injection behavior in the binary classification inference of the target neural network. Therefore, these target strings are defined as anomalous combinations. Specifically, the target strings corresponding to anomalous combinations are pre-configured for matching in step S506. The target strings corresponding to anomalous combinations are determined by engineers based on strings in request parameters commonly associated with SQL injection behavior, such as "--" or "or" often used in SQL injection.
[0108] like Figure 7 As shown, when the target string consisting of the last character of the first type of element in the response queue and the first character of the next element adjacent to that first type of element is detected as an abnormal combination, the elements in the response queue will be rearranged to obtain a first intermediate sequence. The target string consisting of the last character of the first type of element in the first intermediate sequence and the first character of the next element adjacent to that first type of element is not an abnormal combination. Figure 7 As shown, when element 2 in the response queue is a first-class element and the target string formed by the last character of element 2 and the first character of the adjacent next element 3 is an abnormal combination, the positions of element 2 and element 3 will be swapped to eliminate the abnormal combination, thereby reducing the error of the neural network inference result caused by the abnormal combination, that is, improving the accuracy of neural network inference.
[0109] The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes:
[0110] Step S508: Determine the arrangement order of the sub-grayscale images with a second preset size of 1 pixel * N pixels corresponding to each element according to the arrangement order of each element in the first intermediate sequence.
[0111] Step S510: According to the arrangement order of the sub-grayscale images, arrange w sub-grayscale images sequentially along the horizontal axis from smallest to largest to obtain a total grayscale image with a first preset size of 1 pixel * M pixels; wherein, there are no gaps or overlapping areas between the adjacent sub-grayscale images arranged from smallest to largest along the horizontal axis.
[0112] According to steps S508 to S510, a total grayscale image with a first preset size of 1 pixel * M pixels is obtained. The total grayscale image is then input into the target neural network to perform binary classification reasoning and detect SQL injection situations involving multiple request parameters.
[0113] In one embodiment, converting a preset number of elements in the response queue into a sub-grayscale image according to a preset rule specifically includes:
[0114] Step S511: Encode each character of the request parameter corresponding to each element in the first intermediate sequence according to the preset encoding table to obtain the encoding sequence.
[0115] Step S512: Obtain the grayscale value sequence corresponding to each request parameter based on the encoded sequence.
[0116] Step S513: According to a preset strategy, adjust the pixel values at the corresponding positions in the template image of the second preset size to be consistent with the grayscale value sequence to obtain the sub-grayscale image.
[0117] The default encoding table is the ASCII encoding table. When encoding each character, the numerical value corresponding to each character is determined according to its ASCII code. That is, each character is represented by its corresponding decimal value based on its ASCII code. For example, a request parameter containing the content "1'or 1=1--" contains 12 characters, including spaces. In this article, the number of characters is defined as the character length L of the request parameter, meaning the character length of this request parameter is 12. Figure 6 As shown, the grayscale value is determined by the decimal representation of the ASCII code for each character, resulting in the encoding sequence {49, 39, 32, 111, 114, 32, 49, 61, 49, 32, 45, 45}. The grayscale value sequence corresponding to the request parameter is directly set to be the same as the encoding sequence, i.e., the grayscale value sequence is also {49, 39, 32, 111, 114, 32, 49, 61, 49, 32, 45, 45}. Figure 6 As shown, in one example, the template image of the second preset size is a one-dimensional image with a length of 25 pixels (i.e., the size of the image is 1 pixel * 25 pixels), and the grayscale value sequence has a total of 12 elements. Therefore, the preset strategy is to adjust the grayscale values of the first 12 pixels in the one-dimensional template image to the values corresponding to each element in the grayscale value sequence in turn, while the grayscale values of the other pixels in the one-dimensional template image are all set to 0 by default.
[0118] In summary, the preset strategies include:
[0119] If the second preset size is 1 pixel * N pixels, then starting from the pixel with the smallest number in the image coordinate system of the template image, the gray values of each pixel in the template image are adjusted sequentially according to the ascending order of the numbers to the values corresponding to each element in the gray value sequence. If the length of the gray value sequence is less than N, then the gray values of pixels in the template image that do not correspond to the gray value sequence are set to default gray values. The default gray values are different from any value in the encoding table; wherein, the pixel number is the horizontal coordinate of the pixel; the number of pixels in the template image is not less than the length of the gray value sequence. Figure 6 As shown, the horizontal axis is v and the vertical axis is u.
[0120] Example 2:
[0121] In one embodiment, the target neural network is a convolutional neural network, the first preset size is M pixels * M pixels, the second preset size corresponding to the sub-grayscale image is N pixels * N pixels, and the preset quantity is w; wherein M, N, and w are all positive integer variables not less than 2, and w^(0.5) is a positive integer; and M*M=w*N*N;
[0122] After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes:
[0123] Step S602: Obtain the character length L of the request parameters corresponding to each element in the queue to be responded to.
[0124] Step S604: Define the elements in the queue to be responded to with a character length L≤N*N-4*(N-1) as the second type of elements.
[0125] For example, if an element in the response queue is 'OR 1=1' and its character length is 8, then that element is a second type of element.
[0126] Step S606: If the number of second-type elements in the response queue is not less than 0.5*w and the arrangement order k of the second-type elements in the response queue does not meet the following condition one, then all elements in the response queue are rearranged into a second intermediate sequence; wherein, when the arrangement order p of the second-type elements in the sequence obtained by rearranging all elements in the response queue meets the following condition two, the sequence is defined as the second intermediate sequence.
[0127] Condition 1: When kmod 2*w^(0.5)≤w^(0.5), k mod 2=1; when kmod 2*w^(0.5)>w^(0.5), k mod 2=0.
[0128] Condition 2: When p mod 2*w^(0.5)≤w^(0.5), p mod 2=1; when p mod 2*w^(0.5)>w^(0.5), p mod 2=0; where k and p are both positive integer variables; mod is the modulo operator.
[0129] The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes:
[0130] Step S608: Determine the arrangement order of the sub-grayscale images with a second preset size of N pixels * N pixels corresponding to each element according to the arrangement order of each element in the second intermediate sequence.
[0131] Step S610: Divide the w sub-grayscale images into w^(0.5) image groups; wherein the sub-grayscale images in each image group are arranged in a continuous order; and the number of sub-grayscale images in each image group is the same.
[0132] For each image group, according to the arrangement order of the sub-grayscale images, w^(0.5) consecutive sub-grayscale images are arranged from smallest to largest along the horizontal axis to obtain an intermediate grayscale image of size N pixels * M pixels corresponding to each image group, resulting in a total of w^(0.5) intermediate grayscale images of size N pixels * M pixels.
[0133] According to the image group numbers in ascending order, w^(0.5) intermediate grayscale images of size N pixels * M pixels are arranged in ascending order along the vertical axis to obtain a total grayscale image of the first preset size M pixels * M pixels; wherein, there are no gaps or overlapping areas between adjacent sub-grayscale images arranged in ascending order along the horizontal axis and in ascending order along the vertical axis; the image group number is the minimum value of the arrangement order of each sub-grayscale image contained in the image group.
[0134] Specifically, when no second intermediate sequence exists, the order of elements in the response queue is used as the order of the sub-grayscale images, referring to... Figure 8 When w=64, N=5, M=40, v is the horizontal axis, and u is the vertical axis, for a queue of 64 elements to be responded to, there are 64 corresponding sub-grayscale images. Therefore, they can be divided into 8 image groups. For example, image group 1 has elements 1 to 8 corresponding to the sub-grayscale images. Figure 1 To the grayscale Figure 8Arranged along the horizontal axis, this results in a mid-grayscale image with dimensions of 5 pixels * 40 pixels. Figure 1 Similarly, image group 8 is formed by arranging the corresponding sub-grayscale images 57 to 64 along the horizontal axis, resulting in an intermediate grayscale image with a size of 5 pixels * 40 pixels. Figure 8 Image group 1 contains sub-grayscale values. Figure 1 To the grayscale Figure 8 And sub-grayscale Figure 1 To the grayscale Figure 8 The minimum value in the arrangement order is the sub-gray level. Figure 1 The order of the images is as follows. It can be seen that the numbering from image group 1 to image group 8 changes from small to large. Therefore, the intermediate gray levels corresponding to image groups 1 to 8 will be sequentially... Figure 1 to intermediate grayscale Figure 8 Arranged along the vertical axis, the final image is a total grayscale image with a size of 40 pixels * 40 pixels. For example, the total grayscale image is composed of 8 * 8 sub-grayscale images, with 8 images in each row and 8 images in each column. The 8 sub-grayscale images in each row form an intermediate grayscale image. The size of each sub-grayscale image is 5 pixels * 5 pixels, and the size of each intermediate grayscale image is 5 pixels * 40 pixels. In this case, 2 * w^(0.5) = 16, w^(0.5) = 8, that is, condition one is that when kmod 16 ≤ 8, kmod 2 = 1; when kmod 16 > 8, kmod 2 = 0. Condition two is that when p mod 16 ≤ 8, p mod 2 = 1; when p mod 16 > 8, p mod 2 = 0.
[0135] It should be noted that when the number of second-class elements in the response queue is not less than 0.5*w and the order k of the second-class elements in the response queue meets the following condition, it means that all the sub-grayscale images corresponding to non-second-class elements in the total grayscale image are sub-grayscale images corresponding to second-class elements in the four directions of positive and negative directions of the vertical axis and the horizontal axis. This means that any two pixels belonging to two adjacent sub-grayscale images in the total grayscale image will not be directly adjacent. Therefore, there will be no situation in space where pixels belonging to two adjacent sub-grayscale images jointly form a certain image feature. If this specific image feature is the same as the image feature of SQL injection behavior, it may be identified by the convolution kernel when the target neural network of the convolutional neural network performs binary classification reasoning on the total grayscale image, and be misjudged by the convolutional neural network as having SQL injection behavior.
[0136] Therefore, in this embodiment, when the number of second-type elements in the response queue is not less than 0.5*w and the arrangement order k of the second-type elements in the response queue does not meet the following condition one, all elements in the response queue are rearranged into a second intermediate sequence. Wherein, when the arrangement order p of the second-type elements in the sequence obtained by rearranging all elements in the response queue meets the following condition two, this sequence is defined as the second intermediate sequence. For example... Figure 11 As shown, when the order k of the second type of elements in the response queue does not meet the following condition one, the position of the second type of elements in the response queue is adjusted. After adjustment, the order p of the second type of elements in the second intermediate sequence meets the following condition two. It can be seen that in the second intermediate sequence, any two pixels belonging to two adjacent sub-grayscale images in the total grayscale image are not directly adjacent. Therefore, spatially, there will be no situation where pixels belonging to two adjacent sub-grayscale images jointly form a specific image feature, thus eliminating the problem of being misjudged as having SQL injection behavior by the convolutional neural network.
[0137] Specifically, Figure 9 The example shown illustrates the sub-grayscale image corresponding to the second type of element. In this example, the request parameter corresponding to the second type of element is 'OR 1=1', and its corresponding one-dimensional and two-dimensional sub-grayscale images are shown in Figure 9. It can be seen that in ASCII code, the character corresponding to 0 is NUL, i.e., the null character. Databases such as MySQL and PostgreSQL prohibit request parameters from containing null characters. Therefore, since the grayscale values of the edge pixels of the sub-grayscale image corresponding to the second type of element are all 0, when a non-second type element, such as... Figure 6 When the request parameter corresponding to 1'or1=1-- is not a second-class element, the four adjacent sub-grayscale images above, below, left, and right of this non-second-class element are all sub-grayscale images corresponding to the second-class element. That is, in space, there will be no situation where pixels belonging to two adjacent sub-grayscale images jointly form a certain image feature. Therefore, the problem of being misjudged as having SQL injection behavior by the convolutional neural network is eliminated.
[0138] It should be noted that if the number of second-type elements in the response queue is less than 0.5*w, the SQL injection behavior detection scheme corresponding to Example 1 will be used.
[0139] In one example, where w is an even number, the method further includes:
[0140] In the second intermediate sequence, the positions corresponding to the permutation order q that meets condition three are all set with elements of the second type.
[0141] Condition 3: q mod w^(0.5) = 1 and q mod w^(0.5) = (0.5 * w^(0.5) + 1) and q ≤ w^(0.5) and 0.5 * w < q ≤ 0.5 * w + w^(0.5); where q is a positive integer variable.
[0142] It should be noted that when w = 64, w^(0.5) = 8, (0.5*w^(0.5) + 1) = 5, 0.5*w = 32, 0.5*w + w^(0.5) = 40. That is, in this example, condition three is: q mod 8 = 1 and q mod 8 = 5 and q ≤ 8 and 32 < q ≤ 40; specifically, when the sign condition is 3, in Figure 3 The 28 sub-grayscale images corresponding to the first row, fifth row, first column, and fifth column are all sub-grayscale images corresponding to the second type of elements. When the target using the convolutional neural network architecture executes steps S302 to S306, it can be guaranteed that any two pixels belonging to two adjacent sub-grayscale images in the two final first-level grayscale images will not be directly adjacent. Therefore, spatially, there will be no situation where pixels belonging to two adjacent sub-grayscale images jointly form a certain image feature, thus eliminating the problem of being misjudged as having SQL injection behavior by the convolutional neural network.
[0143] In one example, the request parameters corresponding to the second type of elements in the second intermediate sequence are defined as the second type of request parameters.
[0144] The step of converting a preset number of elements in the second intermediate sequence into a sub-grayscale image according to a preset rule specifically includes:
[0145] Step S611: Encode each character of the request parameter corresponding to each element in the queue to be responded to according to the preset encoding table to obtain the encoding sequence;
[0146] Step S612: Obtain the grayscale value sequence corresponding to each request parameter based on the encoded sequence;
[0147] Step S613: According to a preset strategy, adjust the pixel values at the corresponding positions in the template image of the second preset size to be consistent with the gray value sequence to obtain the sub-grayscale image;
[0148] The default encoding table is the ASCII encoding table. When encoding each character, the numerical value corresponding to each character is determined according to its ASCII code. That is, each character is represented by its corresponding decimal value based on its ASCII code. For example, a request parameter containing 'OR 1=1', which includes spaces and consists of 8 characters, is defined as the character length L of this request parameter in this article. Therefore, the character length of this request parameter is 8. Figure 9As shown, the grayscale value is determined by the decimal value corresponding to the ASCII code, resulting in the encoding sequence {39, 32, 79, 82, 32, 49, 61, 49}. The grayscale value sequence corresponding to the request parameter is directly set to be the same as the encoding sequence corresponding to the request parameter, i.e., the grayscale value sequence is also {39, 32, 79, 82, 32, 49, 61, 49}. Figure 9 As shown in one example, the template image of the second preset size is a two-dimensional image with a length of 25 pixels (i.e., the size of the image is 5 pixels * 5 pixels), and the grayscale value sequence has a total of 8 elements. Therefore, the preset strategy is to adjust the grayscale values of the first 8 pixels in the two-dimensional template image to the values corresponding to each element in the grayscale value sequence in turn, while the grayscale values of the other pixels in the two-dimensional template image are all set to 0 by default.
[0149] Specifically, the preset strategy includes:
[0150] If the second preset size is N pixels * N pixels, for the second type of request parameter, starting from the smallest pixel in the specified area of the image coordinate system where the template image is located, the gray values of each pixel in the specified area are adjusted to the values corresponding to each element in the gray value sequence corresponding to the second type of request parameter in ascending order of the pixel numbers in the specified area.
[0151] For other request parameters that do not belong to the second type of request parameters, starting from the pixel with the smallest number in the image coordinate system where the template image is located, adjust the grayscale value of each pixel in the template image in ascending order of the pixel numbers to the value corresponding to each element in the grayscale value sequence of the other request parameters that do not belong to the second type of request parameters.
[0152] Wherein, the pixel number is a two-digit number, with the tens digit being the x-coordinate and the units digit being the y-coordinate; the number of pixels in the specified area is not less than the length of the grayscale value sequence; the range of the pixel numbers a*10+b in the specified area meets the following condition four:
[0153] Condition 4: 1 < a < N and 1 < b < N; where a and b are both positive integer variables, a is the tens digit of the pixel number in the specified area, and b is the units digit of the pixel number in the specified area.
[0154] Specifically, when N=5, see [link to relevant documentation]. Figure 10 , Figure 10 (a) shows the pixel numbers in the template image corresponding to a sub-grayscale image. Figure 10 (b) The dashed box represents the specified area. The pixels in the specified area are numbered in ascending order as follows: 22, 23, 24, 32, 33, 34, 42, 43, 44, for a total of 9 pixels.
[0155] In one embodiment, a network security management system based on different scenarios is also provided, comprising: a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it performs the steps of the network security management method based on different scenarios described above. The steps of the network security management method based on different scenarios can be the steps from the various embodiments described above.
[0156] In one embodiment, a computer-readable storage medium is also provided, storing computer-executable instructions for causing a computer to perform the steps of the network security management method based on different scenarios described above. The steps of the network security management method based on different scenarios described here can be steps from the network security management methods based on different scenarios in the various embodiments described above.
[0157] Those skilled in the art will understand that all or part of the processes in the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments described above. Any references to memory, storage, databases, or other media used in the embodiments provided in this application can include non-volatile and / or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory. Volatile memory can include random access memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in various forms, such as static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), dual data rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous link DRAM (SLDRA), direct RAM via Rambus (RDRA), direct memory bus dynamic RAM (DRDRAM), and dynamic RAM via Rambus (RDRAM), etc.
[0158] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.
Claims
1. A network security management method based on different scenarios, characterized in that, The method includes: When the number of elements in the pending response queue is less than a preset number, SQL injection detection is performed on each request parameter based on the first interception rule to obtain the SQL injection detection result; wherein, each element in the pending response queue is a received request parameter to be responded to; the first interception rule includes SQL injection detection based on blacklist mechanism or whitelist mechanism or SQL syntax tree analysis; When the number of elements in the pending response queue reaches a preset number, SQL injection detection is performed on each request parameter simultaneously based on the second interception rule to obtain the SQL injection detection result. The second interception rule involves converting the preset number of elements in the pending response queue into sub-grayscale images according to a preset rule, stitching the sub-grayscale images together into a total grayscale image of a first preset size, and performing binary classification reasoning on the total grayscale image based on a trained target neural network model. Based on the result of the binary classification reasoning on the total grayscale image, the result of simultaneously performing SQL injection detection on multiple request parameters corresponding to the preset number of elements in the pending response queue is obtained. Based on the SQL injection detection results obtained from the first or second interception rule and the request parameters to be responded to, execute the corresponding response operation; The step of converting a preset number of elements in the queue to be responded to into sub-grayscale images according to preset rules specifically includes: The characters of the request parameters corresponding to each element in the queue to be responded to are encoded one by one according to the preset encoding table to obtain the encoding sequence; Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained; According to a preset strategy, the pixel values at corresponding positions in the template image of the second preset size are adjusted to be consistent with the gray value sequence to obtain the sub-grayscale image; The target neural network is a feedforward neural network, the first preset size is 1 pixel * M pixels, the second preset size corresponding to the sub-grayscale image is 1 pixel * N pixels, and the preset quantity is w; wherein, M, N, and w are all positive integer variables not less than 2, and M = w * N; After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes: Get the character length L of the request parameters corresponding to each element in the pending response queue; Define the elements with character length L=N in the queue to be responded to as the first type of elements; If the target string consisting of the last character of the first type of element in the response queue and the first character of the next element adjacent to the first type of element is detected as an abnormal combination, then all elements in the response queue are rearranged into a first intermediate sequence; wherein, the target string consisting of the last character of the first type of element in the first intermediate sequence and the first character of the next element adjacent to the first type of element is not an abnormal combination. The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes: Based on the arrangement order of each element in the first intermediate sequence, determine the arrangement order of the sub-grayscale images with a second preset size of 1 pixel * N pixels corresponding to each element; According to the arrangement order of the sub-grayscale images, w sub-grayscale images are arranged sequentially along the horizontal axis from smallest to largest to obtain a total grayscale image with a first preset size of 1 pixel * M pixels; wherein, there are no gaps or overlapping areas between adjacent sub-grayscale images arranged from smallest to largest along the horizontal axis.
2. The network security management method based on different scenarios according to claim 1, characterized in that: The target neural network model is trained using multiple sets of training data. Each set of training data includes: a total grayscale image of a first preset size obtained by stitching together the sub-grayscale images after converting a set of preset number of request parameters into sub-grayscale images, and a label used to mark whether there is SQL injection behavior in the set of preset number of request parameters corresponding to the total grayscale image.
3. A network security management method based on different scenarios according to claim 2, characterized in that, The method further includes: When the SQL injection detection result obtained based on the second interception rule indicates that there is SQL injection behavior in a set of preset number of request parameters corresponding to the total grayscale image, the total grayscale image is divided equally along the vertical axis of the image coordinate system to obtain two initial first-level grayscale images. After expanding the two initial level-one grayscale images to the first preset size, two final level-one grayscale images are obtained. Two final grayscale images of the first preset size are input into the trained target neural network for binary classification reasoning; Based on the results of binary classification reasoning on the final first-level grayscale image, it is determined whether there is SQL injection behavior in the multiple request parameters corresponding to the two final first-level grayscale images.
4. A network security management method based on different scenarios according to claim 1, characterized in that, The step of converting a preset number of elements in the queue to be responded to into sub-grayscale images according to preset rules specifically includes: The characters of the request parameters corresponding to each element in the first intermediate sequence are encoded one by one according to the preset encoding table to obtain the encoding sequence; Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained; According to a preset strategy, the pixel values at corresponding positions in a template image of a second preset size are adjusted to match the grayscale value sequence to obtain the sub-grayscale image; The preset strategy includes: If the second preset size is 1 pixel * N pixels, then starting from the pixel with the smallest number in the image coordinate system where the template image is located, the gray values of each pixel in the template image are adjusted to the values corresponding to each element in the gray value sequence in ascending order of the numbers. If the length of the gray value sequence is less than N, then the gray values of pixels in the template image that do not correspond to the gray value sequence are set to default gray values. The default gray values are different from any value in the encoding table. The pixel number is the horizontal coordinate of the pixel. The number of pixels in the template image is not less than the length of the gray value sequence.
5. A network security management method based on different scenarios according to claim 1, characterized in that, The target neural network is a convolutional neural network, the first preset size is M pixels * M pixels, the second preset size corresponding to the sub-grayscale image is N pixels * N pixels, and the preset quantity is w; wherein, M, N, and w are all positive integer variables not less than 2, and w^(0.5) is a positive integer; and M*M=w*N*N; After the step of converting a preset number of elements in the response queue into sub-grayscale images according to a preset rule, and before the step of stitching the sub-grayscale images into a single grayscale image of a first preset size, the method further includes: Get the character length L of the request parameters corresponding to each element in the pending response queue; Elements with a character length L ≤ N*N-4*(N-1) in the queue to be responded to are defined as the second type of elements; If the number of second-type elements in the response queue is not less than 0.5*w and the order k of the second-type elements in the response queue does not meet the following condition one, all elements in the response queue will be rearranged into a second intermediate sequence; wherein, when the order p of the second-type elements in the sequence obtained by rearranging all elements in the response queue meets the following condition two, the sequence will be defined as the second intermediate sequence. Condition 1: When k mod 2*w^(0.5) ≤ w^(0.5), k mod 2 = 1; when k mod 2*w^(0.5) > w^(0.5), k mod 2 = 0. Condition 2: When p mod 2*w^(0.5) ≤ w^(0.5), p mod 2 = 1; when p mod 2*w^(0.5) > w^(0.5), p mod 2 = 0; where k and p are both positive integer variables; mod is the modulo operator. The step of stitching together the individual grayscale images into a single grayscale image of a first preset size specifically includes: According to the arrangement order of each element in the second intermediate sequence, determine the arrangement order of the sub-grayscale images with a second preset size of N pixels * N pixels corresponding to each element; The w sub-grayscale images are divided into w^(0.5) image groups; the sub-grayscale images in each image group are arranged in a continuous order; and the number of sub-grayscale images in each image group is the same. For each image group, according to the arrangement order of the sub-grayscale images, w^(0.5) consecutive sub-grayscale images are arranged from smallest to largest along the horizontal axis to obtain an intermediate grayscale image of size N pixels * M pixels corresponding to each image group, and a total of w^(0.5) intermediate grayscale images of size N pixels * M pixels are obtained. According to the image group numbers in ascending order, w^(0.5) intermediate grayscale images of size N pixels * M pixels are arranged in ascending order along the vertical axis to obtain a total grayscale image of the first preset size M pixels * M pixels; wherein, there are no gaps or overlapping areas between adjacent sub-grayscale images arranged in ascending order along the horizontal axis and in ascending order along the vertical axis; the image group number is the minimum value of the arrangement order of each sub-grayscale image contained in the image group.
6. A network security management method based on different scenarios according to claim 5, characterized in that, Where w is an even number, the method further includes: In the second intermediate sequence, the positions corresponding to the permutation order q that meets condition three are all set with elements of the second type; Condition 3: q mod w^(0.5)=1 and q mod w^(0.5)=(0.5*w^(0.5)+1)and q ≤ w^(0.5)and 0.5*w < q ≤ 0.5*w+w^(0.5); where q is a positive integer variable.
7. A network security management method based on different scenarios according to claim 5, characterized in that, Define the request parameters corresponding to the second type of elements in the second intermediate sequence as the second type of request parameters. The step of converting a preset number of elements in the second intermediate sequence into a sub-grayscale image according to a preset rule specifically includes: The characters of the request parameters corresponding to each element in the queue to be responded to are encoded one by one according to the preset encoding table to obtain the encoding sequence; Based on the encoded sequence, a grayscale value sequence corresponding to each request parameter is obtained; According to a preset strategy, the pixel values at corresponding positions in a template image of a second preset size are adjusted to match the grayscale value sequence to obtain the sub-grayscale image; The preset strategy includes: If the second preset size is N pixels * N pixels, for the second type of request parameter, starting from the smallest pixel in the specified area of the image coordinate system where the template image is located, the gray values of each pixel in the specified area are adjusted to the values corresponding to each element in the gray value sequence corresponding to the second type of request parameter in order from smallest to largest according to the pixel numbers in the specified area. For other request parameters that do not belong to the second type of request parameters, starting from the pixel with the smallest number in the image coordinate system where the template image is located, adjust the gray value of each pixel in the template image in ascending order of the pixel numbers to the value corresponding to each element in the gray value sequence of the other request parameters that do not belong to the second type of request parameters. Wherein, the pixel number is a two-digit number, with the tens digit being the x-coordinate and the units digit being the y-coordinate; the number of pixels in the specified area is not less than the length of the grayscale value sequence; the range of the pixel numbers a*10+b in the specified area meets the following condition four: Condition 4: 1 < a < N and 1 < b < N; where a and b are both positive integer variables, a is the tens digit of the pixel number in the specified area, and b is the units digit of the pixel number in the specified area.
8. A network security management system based on different scenarios, comprising: A memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, when the processor executes the program, it performs the steps of the network security management method based on different scenarios as described in any one of claims 1 to 7.