Method, system and electronic device for automatic generation of rules for a web application firewall

By constructing multi-perspective data and utilizing generative language models to generate Web application firewall rules, this approach solves the problems of existing technologies, such as reliance on manual rule construction, insufficient generalization ability, and high computational overhead. It achieves efficient and low-false-positive automatic rule generation and optimization, thereby enhancing the protection capabilities of the WAF system.

CN122160197APending Publication Date: 2026-06-05HARBIN INSTITUTE OF TECHNOLOGY (SHENZHEN) (INSTITUTE OF SCIENCE AND TECHNOLOGY INNOVATION HARBIN INSTITUTE OF TECHNOLOGY SHENZHEN)

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HARBIN INSTITUTE OF TECHNOLOGY (SHENZHEN) (INSTITUTE OF SCIENCE AND TECHNOLOGY INNOVATION HARBIN INSTITUTE OF TECHNOLOGY SHENZHEN)
Filing Date
2026-05-09
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing Web Application Firewall (WAF) technologies suffer from several problems in rule building and detection, including strong reliance on manual intervention, insufficient generalization ability, high computational overhead, poor interpretability, insufficient stability, and lack of systematic verification. These issues lead to frequent rule updates, high false positive rates, and performance bottlenecks.

Method used

By constructing multi-perspective data, generating Web application firewall rules using generative language models, and combining the original representation with semantically normalized representation, format constraints and syntax adaptation are performed. Effectiveness evaluation, screening, and iterative optimization are then conducted to generate deployable rules.

Benefits of technology

It improves the efficiency and adaptability of rule generation, reduces the impact on normal business operations, enhances the continuous protection capability of the WAF system in complex attack environments, and is suitable for high-concurrency access systems and high-security web service environments.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160197A_ABST
    Figure CN122160197A_ABST
Patent Text Reader

Abstract

The application discloses a kind of Web application firewall's rule automatic generation method, system and electronic equipment, including the processing of input web request data, build and include original representation and semantic standardization representation Multi-view data;Web application firewall rule is generated based on the corresponding relationship between the two, including the following steps: using generative language model, according to the corresponding relationship between original representation and semantic standardization representation in multi-view data, generate candidate detection rules for target attack behavior;The candidate detection rule is subjected to format constraint and syntax adaptation processing, so that it meets the rule syntax requirements of target WAF system, and the output web application firewall rule;Effectiveness evaluation, screening and iterative optimization are carried out to the web application firewall rule, and finally the deployable web application firewall rule is generated.The method of the application improves the generation efficiency and adaptation capacity of the rule, and enhances the continuous protection capability of WAF system in complex attack environment.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network security protection technology, specifically to a method, system, and electronic device for automatically generating rules for a web application firewall. Background Technology

[0002] Web Application Firewalls (WAFs) are important security devices or software systems used to protect web applications from malicious request attacks. They are typically deployed between the client and the web server to detect, filter, and block HTTP requests entering the application system. Existing WAF technologies mainly analyze the URL, parameters, request body, and related context information in the request to identify whether it contains attack characteristics such as SQL injection and cross-site scripting (XSS), and perform actions such as allowing, blocking, or issuing alerts based on the detection results.

[0003] Currently, WAF detection technologies mainly include rule-based or feature-matching detection technologies, syntax parsing-based detection technologies, and machine learning-based detection technologies. Rule-based or feature-matching technologies, which use preset signatures, regular expressions, or rule templates to match malicious patterns in requests, are the most widely used approach in existing WAF products. Syntax parsing-based technologies perform lexical, syntactic, or semantic analysis on request content to identify the structural features of attack statements, thereby improving the ability to identify complex attack payloads. Machine learning-based technologies use sample data to train classification models, learning the differences between normal and attack requests, thus achieving automatic detection of malicious traffic. However, in practical engineering applications, due to limitations in system performance overhead, interpretability, and deployment complexity, syntax parsing-based and machine learning-based detection methods cannot completely replace rule-based detection mechanisms, making rule-based detection the most core and widely used technology in WAF systems. Therefore, how to efficiently construct and optimize detection rules has become an important research direction in this field. Regarding rule construction, existing technologies typically rely on security experts manually writing detection rules based on attack samples, vulnerability principles, and historical experience, and then configuring these rules into the WAF rule engine for execution. To improve the efficiency of rule building, some technologies attempt to automatically extract key information that can be used for detection from attack samples through pattern mining, feature extraction, or generative models, in order to help generate deployable detection rules.

[0004] Although existing Web Application Firewalls (WAFs) are widely used in web security protection, detection methods based on different technical approaches still have the following problems and shortcomings in practical applications: (1) Detection techniques based on rule or feature matching suffer from strong reliance on manual intervention and insufficient generalization ability. These methods mainly rely on security experts to manually write rules or feature expressions based on attack samples. The rule construction process depends on experience and has a low degree of automation. As attack patterns continue to evolve, rules need to be updated frequently, resulting in high maintenance costs. At the same time, these rules are usually based on fixed string patterns or feature matching, which makes them less adaptable to attack payloads that have been encoded, obfuscated, or semantically equivalent, and they are easily bypassed by variant attacks, leading to false negatives.

[0005] (2) Syntax parsing-based detection techniques have problems such as high computational overhead and complex deployment.

[0006] These methods identify the structural features of attack statements by performing lexical, syntactic, or semantic analysis on the request content. While they can improve the detection capability of complex attacks, they typically require deep parsing of the request, resulting in significant computational overhead and potential performance bottlenecks in high-concurrency scenarios. Furthermore, these methods are highly dependent on the accuracy and completeness of the parser, leading to complex system implementations and making large-scale deployment in practical engineering projects difficult.

[0007] (3) Machine learning-based detection techniques suffer from poor interpretability and insufficient stability.

[0008] These methods improve the ability to detect unknown attacks to some extent by training models to learn the differences between attacks and normal requests. However, their detection results depend on the distribution of training data, and the model performance is prone to deterioration when faced with changes in data distribution or adversarial examples. Furthermore, these methods typically lack interpretability, are difficult to directly translate into deployable detection rules, and have high computational resource requirements in practical applications, affecting their effectiveness in real-time detection scenarios.

[0009] (4) Existing technologies lack systematic support for rule generation and verification.

[0010] Regarding the rule-building problem, although some methods attempt to automatically generate rules through pattern mining or learning models, these methods are usually based only on surface features or local patterns, lacking effective abstraction of attack semantics, resulting in limited generalization ability of the generated rules. Furthermore, existing technologies generally lack a systematic verification mechanism for generated rules, making it difficult to simultaneously evaluate the blocking effect of rules and their impact on normal business operations, easily leading to high false positive rates or rules that are difficult to directly apply to real-world systems. Summary of the Invention

[0011] To address the aforementioned issues, this invention provides a method, system, and electronic device for automatically generating rules for a Web Application Firewall (WAF), aiming to support the generation, updating, and optimization of WAF rules, enabling rules to continuously adapt to ever-changing attack patterns.

[0012] According to a first aspect of the present disclosure, a method for automatically generating rules for a web application firewall is provided, the method comprising the following steps: The input Web request data is processed to construct multi-view data containing both raw representation and semantically normalized representation; Web application firewall rules are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the Web Application Firewall rules are output. The effectiveness of Web Application Firewall rules is evaluated, filtered, and iteratively optimized to ultimately generate deployable Web Application Firewall rules.

[0013] A further technical solution of the present invention is as follows: The original representation and the semantically normalized representation are jointly organized into input data for a generative language model, including: concatenating the original representation and the semantically normalized representation according to a preset format to form a unified joint input; wherein, the original representation is used to retain the surface-level expression information of the attack payload, including original keywords, character combinations, encoding forms, parameter fragments, and local context in the request; the semantically normalized representation is used to describe the semantic structure information after normalization, including one or more of the following: logical relationships, comparison relationships, function call relationships, query structures, or script structures of the attack payload.

[0014] A further technical solution of the present invention is to use the correspondence between the original representation and the semantically normalized representation as auxiliary constraint information input into the generative language model. The correspondence includes at least the mapping relationship between key grammatical segments in the original representation and corresponding semantic nodes in the semantically normalized representation, the alignment relationship between the original character sequence and the abstract grammatical structure, and the association relationship between key semantic units under different representations.

[0015] A further technical solution of the present invention is as follows: the candidate detection rule includes at least a rule matching object, detection conditions, and corresponding action information; the rule matching object includes request parameters, request body, URL, cookie, or request header fields; the detection conditions include keyword matching, regular expression matching, structural feature matching, or combined logic conditions; the action information includes interception, alarm, or logging.

[0016] A further technical solution of the present invention is as follows: the format constraint and syntax adaptation processing includes: according to the rule language specification of the target WAF system, completing, standardizing or transforming the field names, matching syntax, logical connection methods, action configurations, priority identifiers and necessary parameters in the candidate rules; each candidate rule in the candidate detection rule set is associated with the original representation of the input and the semantic standardization representation, which is used to track the rule source and evaluate the rule effect.

[0017] A further technical solution of the present invention is as follows: Processing the input Web request data to construct multi-view data containing both the original representation and the semantically normalized representation includes the following steps: The system parses the input Web request data, extracts the URL, parameters, request body and cookie content and preprocesses them, identifies target fragments in the attack payload, constructs an abstract syntax tree through lexical analysis and syntax analysis, and constructs a local tree representation for abnormal input using fault-tolerant parsing. The abstract syntax tree is semantically normalized, including unified identifier replacement, constant normalization placeholder replacement, encoding escaping and restoration, and standardized rewriting of syntax structure. At the same time, it retains attack semantic relationships such as logical operations, function calls, and query levels, and outputs a standardized representation. Based on the above analysis and normalization results, the original request representation and the corresponding normalized semantic representation are extracted and bound for each Web request to form a multi-perspective data pair. At the same time, the mapping relationship, alignment relationship and association relationship between the original representation and the normalized semantic representation are established.

[0018] A further technical solution of the present invention is as follows: The generated Web application firewall rules are evaluated for effectiveness, filtered, and iteratively optimized to ultimately generate deployable Web application firewall rules, including the following steps: Perform syntax compilation and validation on Web application firewall rules, and remove invalid rules; Based on attack samples, assess interception capabilities and label inefficient rules; Based on the assessment of false alarm rate according to normal traffic, high-risk rules are marked. The system integrates compilation, interception, and false alarm results to perform multi-dimensional scoring and ranking, and then selects high-quality rules. For rules that fail validation, feedback information is generated based on the characteristics of missed samples or false alarms to guide rule adjustment or regeneration, forming a closed-loop iteration. The filtered rules are encapsulated and deployed to the WAF engine, while the verification results are recorded for continuous optimization.

[0019] According to a second aspect of the present disclosure, a method system for automatically generating rules for a web application firewall is provided, comprising: The multi-view data construction module is used to process the input Web request data and construct multi-view data containing both the original representation and the semantically normalized representation. The semantically enhanced rule generation module is used to generate deployable web application firewall rules based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the resulting deployable Web Application Firewall rules are output. The multi-stage verification and feedback module is used to evaluate the effectiveness, filter, and iteratively optimize the generated deployable Web application firewall rules.

[0020] According to a third aspect of the present disclosure, an electronic device is provided, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of the above-described method for automatically generating rules for a web application firewall.

[0021] According to a fourth aspect of the present disclosure, a non-transitory computer-readable storage medium is provided, the storage medium storing computer instructions that, when executed by a processor, implement the steps of the above-described method for automatically generating rules for a web application firewall.

[0022] This disclosure provides a method, system, and electronic device for automatically generating rules for a Web Application Firewall (WAF), belonging to the field of Web Application Firewall (WAF) security protection technology. It is primarily applied to rule-based Web request detection and interception scenarios. It is suitable for various WAF deployment environments, including web access point protection in internet websites, cloud service platforms, and enterprise information systems, used to identify and block common Web attacks such as SQL injection and cross-site scripting (XSS). In specific applications, it can support the generation, updating, and optimization of WAF rules, enabling rules to continuously adapt to changing attack patterns. Related technologies can be embedded in existing WAF products or cloud WAF services as part of rule production and management, assisting in the construction of detection rules that can be directly deployed to the rule engine and participating in rule filtering and iterative updates. Simultaneously, this invention can evaluate the performance of rules in real requests in conjunction with actual business traffic environments, thereby reducing the impact on normal business operations while ensuring attack detection capabilities. This invention is particularly suitable for application scenarios that require high-frequency rule updates and fine-grained protection, such as high-concurrency access systems or web service environments with high security requirements. By improving the efficiency and adaptability of rule generation, it enhances the continuous protection capability of the WAF system in complex attack environments.

[0023] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this disclosure. Attached Figure Description

[0024] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with the invention and, together with the description, serve to explain the principles of the invention.

[0025] Figure 1 This is a flowchart of the automatic rule generation method for the Web application firewall in this embodiment of the invention; Figure 2 This is a system structure diagram of the automatic rule generation method for Web application firewall in this embodiment of the invention; Figure 3 This is a schematic diagram of an electronic device according to an embodiment of the present invention. Detailed Implementation

[0026] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of the invention. Furthermore, it should be noted that, for ease of description, only the parts relevant to the present invention are shown in the drawings, not the entire structure.

[0027] Before discussing the exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although the flowcharts describe the steps as sequential processes, many of these steps can be performed in parallel, concurrently, or simultaneously. Furthermore, the order of the steps can be rearranged. The process can be terminated when its operation is complete, but may also have additional steps not included in the figures. The process can correspond to a method, function, procedure, subroutine, subroutine, etc.

[0028] This invention relates to a method for automatically generating rules for a web application firewall, such as... Figure 1 As shown, the method includes the following steps: S1. Process the input Web request data to construct multi-view data containing the original representation and semantically normalized representation; S2. Generate Web application firewall rules based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the Web Application Firewall rules are output. S3. Evaluate, filter, and iteratively optimize the effectiveness of Web Application Firewall rules to ultimately generate deployable Web Application Firewall rules.

[0029] The input Web request data is processed to construct multi-view data containing both raw and semantically normalized representations, including the following steps: The system parses the input Web request data, extracts the URL, parameters, request body and cookie content and preprocesses them, identifies target fragments in the attack payload, constructs an abstract syntax tree through lexical analysis and syntax analysis, and constructs a local tree representation for abnormal input using fault-tolerant parsing. The abstract syntax tree is semantically normalized, including unified identifier replacement, constant normalization placeholder replacement, encoding escaping and restoration, and standardized rewriting of syntax structure. At the same time, it retains attack semantic relationships such as logical operations, function calls, and query levels, and outputs a standardized representation. Based on the above analysis and normalization results, the original request representation and the corresponding normalized semantic representation are extracted and bound for each Web request to form a multi-perspective data pair. At the same time, the mapping relationship, alignment relationship and association relationship between the original representation and the normalized semantic representation are established.

[0030] In the specific implementation process, the input Web request data is processed to construct multi-view data containing both the original representation and the semantically normalized representation, providing basic data support for subsequent rule generation. The specific steps include the following: Step 1: Request data parsing Obtain the input Web request data, extract the URL, request method, request headers, query parameters, form parameters, request body, and cookies from the request, and preprocess the extracted results.

[0031] Preprocessing includes character encoding standardization, escape character restoration, case normalization, delimiter normalization, and abnormal character filtering to eliminate the impact of different transmission formats on subsequent parsing. For attack payloads in the web request, target fragments that may contain attack semantics are first identified. These target fragments include, but are not limited to, parameter values ​​in the URL query string, form field values ​​in the request body, JSON field values, XML node values, and other input content that can be interpreted and executed by the backend program.

[0032] For different types of payload content, corresponding grammatical rules are used to perform lexical and syntactic analysis on keywords, operators, literals, tag structures, attribute structures, event handling functions, function calls, logical expressions, etc., and an abstract syntax tree is constructed based on the analysis results. The nodes in the abstract syntax tree are used to represent grammatical components and their hierarchical relationships.

[0033] For abnormal inputs that fail to fully match the standard syntax, a fault-tolerant parsing method can be used to parse the identifiable key grammatical units in segments and construct local abstract syntax trees or intermediate tree representations to retain as many structural features as possible.

[0034] Through the above processing, the attack payload in the original request is transformed from a linear string representation to a tree structure representation, thereby characterizing its syntactic structure features and internal composition relationships, providing structured input for subsequent normalization processing and rule generation.

[0035] Step 2: Semantic Normalization Processing The abstract syntax tree constructed in step 1 is normalized to obtain a standardized representation that can characterize the attack semantics. The goal of the normalization process is to eliminate superficial differences between different requests in terms of variable naming, constant values, syntax, and expression order, while preserving the core semantic features of the attack payload, so that requests with the same or similar semantics but different forms can be mapped to a consistent or similar normalized representation.

[0036] The semantic normalization process may include the following steps: 1. Identifier normalization Identifier nodes in the abstract syntax tree are uniformly replaced or abstracted. These identifiers include field names, table names, column names, parameter names, variable names, aliases, and target objects in function calls. Specifically, identifiers with the same syntactic role but different names in different requests can be replaced with unified category tags. For example, parameter names in different payloads can be replaced with "PARAM", and table names can be replaced with "TABLE", thereby reducing the interference of specific naming differences on subsequent rule generation.

[0037] 2. Constant normalization processing Normalize or replace placeholders in the constant nodes of the abstract syntax tree. The constants include numbers, strings, hexadecimal values, Boolean values, null values, and other literals.

[0038] Specifically, constants of different forms that do not affect semantic pattern recognition during detection can be uniformly replaced with standard placeholders. For example, numeric constants can be replaced with "NUM", and string constants can be replaced with "STR". For attack detection scenarios that require retaining type information but not specific values, this method can reduce the impact of changes in specific values ​​on the consistency of structural representation without altering the semantic skeleton.

[0039] 3. Unified processing of encoding and escaping For cases involving encoding, mixed case, and escape character insertion in the original payload corresponding to the abstract syntax tree, unified restoration and standardization can be performed at the term level corresponding to the tree node. This process reduces the surface differences caused by attackers exploiting encoding transformations and character perturbations.

[0040] 4. Standardized rewriting of grammatical structure The grammatical structures in the abstract syntax tree are standardized and rewritten to eliminate structural differences caused by different expressions.

[0041] The standardized rewriting includes, but is not limited to: 1) Map equivalent logical expressions to a unified structure; 2) Sort the operands that are commutative according to a predetermined rule; 3) Collapse redundant parentheses, repeatedly nested nodes, or intermediate nodes that have no actual semantic gain; 4) Perform unified expansion or unified compression on comparison expressions, Boolean expressions, or function call expressions of the same type; 5) Standardize the representation of query fragments, union queries, nested queries, and comment truncation structures.

[0042] This step allows for greater consistency among different loads at the structural level, thereby highlighting their shared attack semantics.

[0043] 5. Semantic Role Preservation Processing While performing standardization, important syntactic roles and structural relationships that can characterize attack semantics are preserved. These semantic roles include logical operation relationships, comparison relationships, function call relationships, query hierarchy relationships, script call relationships, and dependencies between key semantic nodes.

[0044] By retaining the above information, we ensure that the normalization process does not destroy the core semantic framework of the attack pattern, thus making the normalization result both consistent and able to truly reflect the potential attack behavior in the request.

[0045] 6. Generate normalized representation After completing the above processing, the normalized abstract syntax tree is output as a standardized representation. The standardized representation can be a normalized tree structure, a linear traversal sequence of the tree, a sequence of node relationships, or other intermediate representations that can reflect its semantic structure features.

[0046] This standardized representation is used to describe the core semantic patterns of attack payloads and serves as an important input for subsequent rule generation modules.

[0047] Through the above standardization process, attack requests with the same or similar semantics but different surface expressions can be mapped to consistent or similar standardized representations, thereby reducing the impact of request deformation, encoding obfuscation and term substitution on the generation of detection rules, and improving the coverage and generalization ability of subsequent generated rules for attack variants.

[0048] Step 3: Multi-view data construction Based on the processing results of steps 1 and 2, the original request data is associated with its corresponding normalized representation to construct multi-perspective data for rule generation.

[0049] Specifically, for each input Web request, its original request representation and corresponding normalized semantic representation are extracted and bound together to form a multi-view data pair. This multi-view data pair is used to simultaneously characterize the surface features and underlying semantic structure features of the attack payload.

[0050] The multi-view data pair includes at least the following: The original request representation is used to preserve the original string format, encoding method, keyword distribution, and character-level perturbation characteristics of the attack payload, so as to reflect the surface expression information of the attack payload; Normalized semantic representation is used to describe the structural information after semantic normalization, including abstract syntax trees or their corresponding normalized representations, and is used to characterize the semantic structure and logical relationships of attack payloads; In constructing multi-view data pairs, a correspondence is established between the original request representation and the normalized semantic representation. This correspondence includes at least the following information: 1) The mapping relationship between each syntactic fragment in the original request and the nodes in the normalized representation; 2) Alignment relationships between key semantic units in different representations; 3) The relationship between surface character sequences and semantic structures.

[0051] Through the above correspondence, the surface features in the original request can be aligned with its semantic structure information, thereby enabling the joint utilization of multi-perspective information in subsequent processing.

[0052] By constructing the aforementioned multi-perspective data, this invention can simultaneously utilize the surface representation information of the attack payload and its semantic structure information, thereby providing a data foundation for the subsequent generation of detection rules with stronger generalization capabilities.

[0053] The process of jointly organizing the original representation and the semantically normalized representation into input data for a generative language model includes: concatenating the original representation and the semantically normalized representation according to a preset format to form a unified joint input; wherein, the original representation is used to retain the surface expression information of the attack payload, including original keywords, character combinations, encoding forms, parameter fragments, and local context in the request; the semantically normalized representation is used to describe the semantic structure information after normalization, including one or more of the following: logical relationships, comparison relationships, function call relationships, query structures, or script structures of the attack payload.

[0054] The correspondence between the original representation and the semantically normalized representation is used as auxiliary constraint information input into the generative language model. The correspondence includes at least the mapping relationship between key grammatical segments in the original representation and corresponding semantic nodes in the semantically normalized representation, the alignment relationship between the original character sequence and the abstract grammatical structure, and the association relationship between key semantic units under different representations.

[0055] Candidate detection rules include at least rule matching objects, detection conditions, and corresponding action information; the rule matching objects include request parameters, request bodies, URLs, cookies, or request header fields; the detection conditions include keyword matching, regular expression matching, structural feature matching, or combined logic conditions; and the action information includes interception, alarm, or logging.

[0056] The format constraint and syntax adaptation processing includes: according to the rule language specification of the target WAF system, completing, standardizing or transforming the field names, matching syntax, logical connection methods, action configurations, priority identifiers and necessary parameters in the candidate rules; each candidate rule in the candidate detection rule set is associated with the original input representation and the semantically standardized representation, which is used to track the rule source and evaluate the rule effect.

[0057] In practice, based on the correspondence between the original request representation and its corresponding normalized semantic representation, deployable Web Application Firewall (WAF) detection rules are generated. This includes the following steps: Step 1: Constructing Multi-View Input Multi-perspective data pairs are acquired, and the original request representation and normalized semantic representation corresponding to the same request are jointly organized to form the input data for the rule generation module. The original request representation preserves the surface-level expression information of the attack payload, including original keywords, character combinations, encoding forms, parameter fragments, and local context within the request. The normalized semantic representation describes the semantic structure information after normalization, including the semantic skeleton such as logical relationships, comparison relationships, function call relationships, query structures, or script structures of the attack payload. During input construction, the original request representation and normalized semantic representation are concatenated according to a preset format to form a unified joint input.

[0058] Step 2: Semantic alignment information injection Based on the joint input, the correspondence between the original request representation and the normalized semantic representation is introduced as auxiliary constraint information into the rule generation process. This correspondence includes at least the mapping between key syntactic fragments in the original request and corresponding semantic nodes in the normalized representation, the alignment between the original character sequence and the abstract syntactic structure, and the association between key semantic units under different representations. By introducing these correspondences, the rule generation module, when processing input data, can not only identify the surface attack features in the original request but also understand its underlying attack semantics by combining the normalized representation.

[0059] In this way, the rule generation process no longer relies solely on a single string pattern, but synthesizes rules based on the joint constraints of surface expression and semantic structure, thereby improving the ability of generated rules to cover semantically equivalent attack variants.

[0060] Step 3: Rule Content Generation The constructed joint input is fed into the rule generation process, and candidate detection rules are output.

[0061] Rule generation employs a generative language model, which generates detection rules for targeted attack behaviors based on surface features in the original request representation, semantic structure information in the normalized semantic representation, and the alignment relationship between the two.

[0062] The detection rule should include at least the rule matching object, the detection conditions, and the corresponding action information. The rule matching object can be a request parameter, request body, URL, cookie, or request header field; the detection conditions can include keyword matching, regular expression matching, structural feature matching, or combined logical conditions; and the action information can include interception, alarm, logging, or other preset processing methods.

[0063] During the generation process, preset rule constraints can be applied to the generated results to ensure that the generated rules cover the common patterns of attack samples as much as possible, while avoiding over-reliance on the surface strings of a single sample. The resulting rules can not only match known attack forms in the input samples, but also cover variant requests with the same attack semantics but different written forms.

[0064] Step 4: Rule format constraints and syntax adaptation The candidate detection rules output by the rule generation module are subjected to format constraints and syntax adaptation processing to ensure that they meet the rule syntax requirements of the target WAF system.

[0065] Specifically, based on the rule language specifications of the target WAF system, the field names, matching syntax, logical connection methods, action configurations, priority identifiers, and other necessary parameters in the candidate rules are completed, standardized, or transformed to ensure that the generated results conform to the executable format of the corresponding rule engine. For example, when the target system is a WAF engine based on rule expressions, the candidate rules can be converted into the corresponding rule statement format; when the target system uses specific fields to describe rule conditions, the rule content can be mapped and reorganized according to the system's syntax requirements. Through this step, the generated rules can directly enter the subsequent verification process and are ready for deployment.

[0066] Step 5: Output candidate rules The generated and format-adapted rules are output as a set of candidate detection rules and transmitted to the subsequent multi-stage verification and feedback process.

[0067] The candidate detection rule set can contain one or more candidate rules. Each candidate rule is associated with the original request representation and the normalized semantic representation of the input, so as to track the source of the rule, evaluate the effect of the rule, and make feedback optimization based on the verification results in the subsequent verification process.

[0068] Through the above processing, semantically enhanced rule generation can generate detection rules that take into account both surface features and semantic structure based on multi-perspective input information, thereby improving the generalization ability, deployability and practical application value of the rules.

[0069] The generated Web Application Firewall (WAF) rules are evaluated for effectiveness, filtered, and iteratively optimized to ultimately produce deployable WAF rules, including the following steps: Perform syntax compilation and validation on Web application firewall rules, and remove invalid rules; Based on attack samples, assess interception capabilities and label inefficient rules; Based on the assessment of false alarm rate according to normal traffic, high-risk rules are marked. The system integrates compilation, interception, and false alarm results to perform multi-dimensional scoring and ranking, and then selects high-quality rules. For rules that fail validation, feedback information is generated based on the characteristics of missed samples or false alarms to guide rule adjustment or regeneration, forming a closed-loop iteration. The filtered rules are encapsulated and deployed to the WAF engine, while the verification results are recorded for continuous optimization.

[0070] In the specific implementation process, the candidate detection rules output by the semantically enhanced rule generation module are evaluated for effectiveness, screened, and iteratively optimized to ensure that the generated rules meet the requirements of deployability, detection capability, and low false positives. Specifically, the following steps are included: Step 1: Rule compilation and verification Obtain candidate detection rules, and load the rules into the target WAF rule engine or rule parsing component for syntax parsing and compilation verification.

[0071] Specifically, the check verifies whether the rules conform to the syntax specifications of the target WAF system, including rule expression format, field configuration, matching syntax, logical operation relationships, and action definitions. Rules with syntax errors, missing fields, or incomplete structures are deemed invalid and removed. This step filters out valid rules that can be correctly parsed and executed by the target WAF system, providing a foundation for subsequent verification.

[0072] Step 2: Verification of attack interception capabilities Based on a pre-collected or constructed dataset of attack samples, the interception capability of candidate rules that have passed compilation and verification is evaluated.

[0073] Specifically, attack samples are input into the WAF detection process one by one, candidate rules are applied for matching, and the detection and blocking performance of each rule for attack requests is statistically analyzed. Based on preset evaluation indicators (hit rate), it is determined whether the rule can effectively identify the target attack behavior.

[0074] Rules that fail to effectively cover attack samples or have insufficient detection capabilities are marked as inefficient or invalid rules and then filtered or optimized in subsequent steps.

[0075] Step 3: Verify false alarms for business traffic Based on real business traffic or labeled normal request data, a false positive assessment is performed on candidate rules. Specifically, candidate rules are applied to normal request data, and the matching results are statistically analyzed to determine whether the rules incorrectly block or misjudge normal requests. The false positive rate of the rules is quantitatively assessed according to a preset false positive threshold.

[0076] Rules with a false positive rate exceeding the threshold are marked as high-risk rules and removed or optimized in subsequent processing to avoid impacting normal business operations.

[0077] Step 4: Rule Filtering and Sorting Based on the verification results from steps 1 to 3, the candidate rules are screened and ranked. Specifically, rules can be scored or prioritized according to their compilation success rate, attack detection capability, and false positive rate to select high-quality rules that meet preset conditions. Screening conditions may include achieving a set detection standard and having a false positive rate below a set threshold. Through this step, a set of candidate rules suitable for actual deployment is formed.

[0078] Step 5: Feedback-driven rule optimization For rules that fail verification or whose performance does not meet requirements, feedback information is generated based on the verification results, and the feedback information is used to guide the adjustment or regeneration of the rules.

[0079] The feedback information may include characteristics of attack samples where the rule was not matched, characteristics of normal requests triggered by false alarms, and cases where the rule matching range is too wide or too narrow. Based on the above feedback information, the input data, generation constraints, or rule structure in the rule generation process are adjusted to generate improved rules. Furthermore, the optimized rules can be re-inputted into steps 1 to 4 for verification, forming a closed-loop iterative process of rule generation and verification.

[0080] Step 6: Rule Output and Deployment Preparation The filtered rules are output as final detection rules and packaged or configured according to the deployment requirements of the target WAF system. These final rules can be directly deployed to the WAF rule engine for detecting and intercepting real-time web requests. Simultaneously, the input data and verification results corresponding to the rules can be recorded for subsequent rule maintenance and continuous optimization.

[0081] Another embodiment provides a system 200 for automatically generating rules for a web application firewall, comprising: The multi-view data construction module 210 is used to process the input Web request data and construct multi-view data containing the original representation and the semantically normalized representation. The semantically enhanced rule generation module 220 is used to generate deployable web application firewall rules based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the resulting deployable Web Application Firewall rules are output. The multi-stage verification and feedback module 230 is used to evaluate the effectiveness, filter, and iteratively optimize the generated deployable Web application firewall rules.

[0082] In addition to the modules described above, the Web application firewall rule automatic generation method system 200 may also include other components; however, since these components are not related to the content of this disclosure embodiment, their illustrations and descriptions are omitted here.

[0083] Other specific working processes of the automatic rule generation method system 200 for Web application firewalls are described in the above-described embodiment of the automatic rule generation method for Web application firewalls, and will not be repeated here.

[0084] Another embodiment illustrating that the system of the present invention can also be achieved by means of... Figure 3 The architecture of the computing device shown is used to implement this. Figure 3 The architecture of the computing device is shown. For example... Figure 3 As shown, the computer system 310 includes a system bus 330, one or more CPUs 340, input / output 320, and memory 350. Memory 350 can store various data or files used by the computer for processing and / or communication, as well as program instructions executed by the CPU, including methods for automatically generating rules for Web application firewalls. Figure 3 The architecture shown is merely exemplary and should be adjusted according to actual needs when implementing different devices. Figure 3 One or more components of the system. The memory 350, as a computer-readable storage medium, can be used to store software programs, computer-executable programs, and modules, such as the program instructions / modules corresponding to the above-described automatic rule generation method for the Web application firewall in this embodiment of the invention. One or more CPUs 340 execute various functional applications and data processing of the system of the present invention by running the software programs, instructions, and modules stored in the memory 350.

[0085] Of course, the processor of the server provided in the embodiments of the present invention is not limited to performing the method operations described above, but can also perform related operations in the rule automatic generation method of the Web application firewall provided in any embodiment of the present invention.

[0086] The memory 350 may primarily include a program storage area and a data storage area. The program storage area may store the operating system and applications required for at least one function; the data storage area may store data created based on terminal usage. Furthermore, the memory 350 may include high-speed random access memory and non-volatile memory, such as at least one disk storage device, flash memory device, or other non-volatile solid-state storage device. In some instances, the memory 350 may further include memory remotely configured relative to one or more CPUs 340, these remote memories being connected to the device via a network. Examples of such networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

[0087] Input / output 320 can be used to receive input digital or character information, and to generate key signal inputs related to user settings and function control of the device. Input / output 320 may also include a display device such as a display screen.

[0088] This invention also provides a non-transitory computer-readable storage medium storing a computer program. When executed by a processor, this computer program implements the automatic rule generation method for the Web application firewall described in the above embodiments. The computer-readable storage medium of this invention can be any combination of one or more computer-readable media. A computer-readable medium can be a computer-readable signal medium or a computer-readable storage medium. For example, a computer-readable storage medium can be, but is not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media (a non-exhaustive list) include: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this document, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

[0089] Computer-readable signal media may include data signals propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. Computer-readable signal media may also be any computer-readable medium other than computer-readable storage media, capable of sending, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device.

[0090] The program code contained on the storage medium can be transmitted using any suitable medium, including but not limited to wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.

[0091] Furthermore, other specific operating procedures of a non-transitory computer-readable storage medium are described in the above-described embodiment of the automatic rule generation method for Web application firewalls, and will not be repeated here.

[0092] In this document, the terms “comprising,” “including,” or any other variations thereof are intended to cover non-exclusive inclusion, such that a step or method that comprises a list of elements includes not only those elements but also other elements not expressly listed or inherent to such a step or method.

[0093] The above description, in conjunction with specific preferred embodiments, provides a further detailed explanation of the present invention. It should not be construed that the specific implementation of the present invention is limited to these descriptions. For those skilled in the art, various simple deductions or substitutions can be made without departing from the concept of the present invention, and all such modifications and substitutions should be considered within the scope of protection of the present invention.

Claims

1. A method for automatically generating rules for a Web application firewall, characterized in that, The method includes the following steps: The input Web request data is processed to construct multi-view data containing both raw representation and semantically normalized representation; Web application firewall rules are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the Web Application Firewall rules are output. The effectiveness of Web Application Firewall rules is evaluated, filtered, and iteratively optimized to ultimately generate deployable Web Application Firewall rules.

2. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, The process of jointly organizing the original representation and the semantically normalized representation into input data for a generative language model includes: concatenating the original representation and the semantically normalized representation according to a preset format to form a unified joint input; wherein, the original representation is used to retain the surface expression information of the attack payload, including original keywords, character combinations, encoding forms, parameter fragments, and local context in the request; the semantically normalized representation is used to describe the semantic structure information after normalization, including one or more of the following: logical relationships, comparison relationships, function call relationships, query structures, or script structures of the attack payload.

3. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, The correspondence between the original representation and the semantically normalized representation is used as auxiliary constraint information input into the generative language model. The correspondence includes at least the mapping relationship between key grammatical segments in the original representation and corresponding semantic nodes in the semantically normalized representation, the alignment relationship between the original character sequence and the abstract grammatical structure, and the association relationship between key semantic units under different representations.

4. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, Candidate detection rules include at least rule matching objects, detection conditions, and corresponding action information; rule matching objects include request parameters, request bodies, URLs, cookies, or request header fields; the detection conditions include keyword matching, regular expression matching, structural feature matching, or combined logic conditions; the action information includes interception, alarm, or logging.

5. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, Format constraints and syntax adaptation processing include: according to the rule language specification of the target WAF system, completing, standardizing or transforming the field names, matching syntax, logical connection methods, action configurations, priority identifiers and necessary parameters in the candidate rules; each candidate rule in the candidate detection rule set is associated with the original representation of the input and the semantically standardized representation, which is used to track the rule source and evaluate the rule effect.

6. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, The input Web request data is processed to construct multi-view data containing both raw and semantically normalized representations, including the following steps: The system parses the input Web request data, extracts the URL, parameters, request body and cookie content and preprocesses them, identifies target fragments in the attack payload, constructs an abstract syntax tree through lexical analysis and syntax analysis, and uses fault-tolerant parsing to construct a local tree representation for abnormal input. The abstract syntax tree is semantically normalized, including unified identifier replacement, constant normalization placeholder replacement, encoding escaping and restoration, and standardized rewriting of syntax structure. At the same time, it retains attack semantic relationships such as logical operations, function calls, and query levels, and outputs a standardized representation. Based on the above analysis and normalization results, the original request representation and the corresponding normalized semantic representation are extracted and bound for each Web request to form a multi-perspective data pair. At the same time, the mapping relationship, alignment relationship and association relationship between the original representation and the normalized semantic representation are established.

7. The method for automatically generating rules for a Web application firewall according to claim 1, characterized in that, The generated Web Application Firewall (WAF) rules are evaluated for effectiveness, filtered, and iteratively optimized to ultimately produce deployable WAF rules, including the following steps: Perform syntax compilation and validation on Web application firewall rules, and remove invalid rules; Based on attack samples, assess interception capabilities and label inefficient rules; Based on the assessment of false alarm rate according to normal traffic, high-risk rules are marked. The system integrates compilation, interception, and false alarm results to perform multi-dimensional scoring and ranking, and then selects high-quality rules. For rules that fail validation, feedback information is generated based on the characteristics of missed samples or false alarms to guide rule adjustment or regeneration, forming a closed-loop iteration. The filtered rules are encapsulated and deployed to the WAF engine, while the verification results are recorded for continuous optimization.

8. A system for automatically generating rules for a Web application firewall, characterized in that, include: The multi-view data construction module is used to process the input Web request data and construct multi-view data containing both the original representation and the semantically normalized representation. The semantically enhanced rule generation module is used to generate Web application firewall rules based on the correspondence between the original representation and the semantically normalized representation in multi-view data, including the following steps: By using a generative language model, candidate detection rules for targeted attack behaviors are generated based on the correspondence between the original representation and the semantically normalized representation in multi-view data. The candidate detection rules are subjected to format constraints and syntax adaptation to meet the rule syntax requirements of the target WAF system, and the Web Application Firewall rules are output. The multi-stage verification and feedback module is used to evaluate the effectiveness of the generated Web Application Firewall rules, filter them, and iteratively optimize them.

9. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the steps of the automatic rule generation method for the Web application firewall as described in any one of claims 1 to 7.

10. A non-transitory computer-readable storage medium storing computer instructions, characterized in that, When the instruction is executed by the processor, it implements the steps of the automatic rule generation method for the Web application firewall as described in any one of claims 1 to 7.