CN116319005A - Attack detection method, device and processing system combined with natural language processing model - Google Patents
Attack detection method, device and processing system combined with natural language processing model Download PDFInfo
- Publication number
- CN116319005A CN116319005A CN202310282395.8A CN202310282395A CN116319005A CN 116319005 A CN116319005 A CN 116319005A CN 202310282395 A CN202310282395 A CN 202310282395A CN 116319005 A CN116319005 A CN 116319005A
- Authority
- CN
- China
- Prior art keywords
- network traffic
- attack
- natural language
- detection mechanism
- traffic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 157
- 238000003058 natural language processing Methods 0.000 title claims abstract description 94
- 238000012545 processing Methods 0.000 title claims abstract description 81
- 230000007246 mechanism Effects 0.000 claims abstract description 83
- 230000004044 response Effects 0.000 claims abstract description 40
- 230000000977 initiatory effect Effects 0.000 claims abstract description 11
- 238000000034 method Methods 0.000 claims description 54
- 230000006399 behavior Effects 0.000 claims description 37
- 230000002159 abnormal effect Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 230000000903 blocking effect Effects 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 8
- 230000005856 abnormality Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 13
- 238000004458 analytical method Methods 0.000 description 9
- 238000005516 engineering process Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 239000010410 layer Substances 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005206 flow analysis Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 239000000243 solution Substances 0.000 description 3
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000016571 aggressive behavior Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000006227 byproduct Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- ZPUCINDJVBIVPJ-LJISPDSOSA-N ***e Chemical compound O([C@H]1C[C@@H]2CC[C@@H](N2C)[C@H]1C(=O)OC)C(=O)C1=CC=CC=C1 ZPUCINDJVBIVPJ-LJISPDSOSA-N 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 239000002355 dual-layer Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G10—MUSICAL INSTRUMENTS; ACOUSTICS
- G10L—SPEECH ANALYSIS TECHNIQUES OR SPEECH SYNTHESIS; SPEECH RECOGNITION; SPEECH OR VOICE PROCESSING TECHNIQUES; SPEECH OR AUDIO CODING OR DECODING
- G10L15/00—Speech recognition
- G10L15/08—Speech classification or search
- G10L15/18—Speech classification or search using natural language modelling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Artificial Intelligence (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Audiology, Speech & Language Pathology (AREA)
- Human Computer Interaction (AREA)
- Physics & Mathematics (AREA)
- Acoustics & Sound (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides an attack detection method, an attack detection device and an attack detection system combined with a natural language processing model, which are used for constructing a double-layer attack network flow detection mechanism combined with the natural language processing model, so that network security is further ensured. The attack detection method combined with the natural language processing model comprises the following steps: obtaining target network traffic output by an initial rule detection mechanism, wherein the target network traffic is the traffic of which the initial rule detection mechanism judges as non-attack network traffic, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture; inputting the target network traffic into a pre-configured natural language processing model, so that the natural language processing model judges whether the target network traffic is attack network traffic or not; if the target network traffic is determined to be the attack network traffic, initiating attack network traffic response processing aiming at the target network traffic.
Description
Technical Field
The present application relates to the field of network security, and in particular, to an attack detection method, apparatus, and processing system that combine a natural language processing model.
Background
In terms of network security, the current mainstream scheme is to use deep packet inspection (Deep Packet Inspection, DPI) technology, mainly aiming at Web program protection of HTTP access, and intrusion prevention system (Intrusion Prevention System, IPS) technology aiming at an operating system, deployed in front of Web application programs, scan and filter user requests before the user requests reach a Web server, analyze and check network packets of each user request, ensure that each user request is effective and safe, and intercept or isolate requests with invalid or offensive behaviors.
At present, the common attack detection modes are: the method comprises the steps of carrying out rule matching on fields such as data submitted by a user, cookies, refer and the like in the flow, wherein the matching mode mainly comprises the following steps: 1. signature detection technology: detecting threats in network traffic, such as viruses, malware, intrusion behavior, etc., based on certain rules or patterns (regular expressions) written in advance; 2. flow analysis technology: detecting network threats and responding quickly by analyzing network traffic, such as by packet-grabbing techniques, traffic analysis tools, etc.; 3. behavior analysis technology: detecting abnormal activities, such as a large number of data flows, frequent access attempts, etc., to discover potential cyber threats by monitoring the behavior of the network traffic; 4. semantic-based rule matching, i.e., designing the detection engine as an SQL semantic interpreter or command line terminal, attempts to understand whether the content entered by the user is likely to constitute a valid attack.
However, the application finds that the above mainstream matching scheme has a corresponding problem in specific applications. For the signature detection technology 1, since attack means are diversified, experienced hackers can easily bypass detection through the change of some sentences, regular expression modes are developed from keyword modes, although false alarm rate is reduced to a certain extent, as regular expressions are based on the filtration of character strings and can only detect preset good attack behaviors, meanwhile, aiming at some relatively complex injection methods, the problem of high false alarm rate also exists, and unknown threats cannot be protected all the time, namely, only if attack occurs, rules can be written according to attack messages, new unknown attacks can not be detected, and the method is easily bypassed by hackers; for the flow analysis technology, the flow analysis needs to capture and analyze the network flow, needs higher computing resources and storage resources, and is difficult to realize real-time analysis; for 3. Behavioral analysis techniques, some legal activities, such as high traffic, may be misreported, and require longer training and learning, and thus may be inefficient; for 4. Rule matching based on grammar analysis, the method is mainly aimed at SQL injection, compared with the methods described in 1 and 2, because only the semantics of SQL are considered, some variant SQL (such as bypassing through some symbol coding, adding comments and the like) can be identified, the false alarm rate and the false alarm rate are reduced, and the execution efficiency is improved, but because the matching is that the user submits information and the SQL finally submitted to a database for execution is deviated, the false alarm is also caused, although the scheme that the user submits information and various predefined dynamic SQL templates are combined to generate SQL sentences, and the generated sentences are subjected to rule matching again to reduce the false alarm rate is also provided, in the application comprising a large number of SQL templates, the whole matching efficiency is reduced, secondly, the setting of rule sets directly influences the false alarm rate and the false alarm rate, the rule setting is stricter, the false alarm rate is reduced, and the false alarm rate is increased; conversely, if set more loosely, the false alarm rate is reduced, but at the same time the false alarm rate is increased.
It is obvious that the above solutions have the problem of limited attack detection precision, and in practical application, the above solutions based on network security detection of the traffic analysis engine can analyze and detect the request packet, but only analyze the network data packet and make some rule matching, so that the security detection capability can be limited, and meanwhile, the traffic analysis engine may be bypassed pertinently, so as to achieve the intrusion purpose.
Disclosure of Invention
The application provides an attack detection method, an attack detection device and an attack detection system combined with a natural language processing model, which are used for constructing a double-layer attack network flow detection mechanism combined with the natural language processing model, so that network security is further ensured.
In a first aspect, the present application provides a method for detecting an attack in combination with a natural language processing model, the method including:
obtaining target network traffic output by an initial rule detection mechanism, wherein the target network traffic is the traffic of which the initial rule detection mechanism judges as non-attack network traffic, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
inputting the target network traffic into a pre-configured natural language processing model, so that the natural language processing model judges whether the target network traffic is attack network traffic or not;
If the target network traffic is determined to be the attack network traffic, initiating attack network traffic response processing aiming at the target network traffic.
With reference to the first aspect of the present application, in a first possible implementation manner of the first aspect of the present application, initiating an attack network traffic response process for a target network traffic includes:
extracting an attack behavior judgment rule of the target network traffic;
and writing the attack behavior judgment rule into an initial rule detection mechanism to perfect the initial rule detection mechanism.
With reference to the first possible implementation manner of the first aspect of the present application, in a second possible implementation manner of the first aspect of the present application, after extracting an attack behavior determination rule of the target network traffic, the method further includes:
and displaying the content of the attack behavior judgment rule.
With reference to the first aspect of the present application, in a third possible implementation manner of the first aspect of the present application, obtaining an initial network traffic output by an initial rule detection mechanism includes:
acquiring initial network traffic output by an initial rule detection mechanism;
and carrying out mirror image processing on the initial network flow while releasing the initial network flow, wherein the obtained mirror image flow is used as the target network flow.
With reference to the third possible implementation manner of the first aspect of the present application, in a fourth possible implementation manner of the first aspect of the present application, initiating an attack network traffic response process for a target network traffic includes:
Extracting first five-tuple information of network traffic and marking an abnormal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the first five-tuple information marked with the abnormal mark, the mirror image processing is not carried out, and the blocking is directly carried out.
With reference to the third possible implementation manner of the first aspect of the present application, in a fifth possible implementation manner of the first aspect of the present application, if it is determined that the network traffic is not attack network traffic, the method further includes:
extracting second five-tuple information of the network traffic and marking a normal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the second five-tuple information marked with the normal mark, the mirror image processing is not carried out, and the current network traffic is directly released.
With reference to the first aspect of the present application, in a sixth possible implementation manner of the first aspect of the present application, the natural language processing model is specifically ChatGPT, new Bing or GPT-3.
In a second aspect, the present application provides an attack detection device combined with a natural language processing model, where the attack detection device includes:
the acquisition unit is used for acquiring the target network traffic output by the initial rule detection mechanism, wherein the target network traffic is the traffic of which the initial rule detection mechanism judges as the non-attack network traffic, and the initial rule detection mechanism is the original rule detection mechanism in the network architecture;
The input unit is used for inputting the target network traffic into a pre-configured natural language processing model so that the natural language processing model judges whether the network traffic is attack network traffic or not;
and the response unit is used for initiating attack network flow response processing aiming at the target network flow if the target network flow is judged to be the attack network flow.
With reference to the second aspect of the present application, in a first possible implementation manner of the second aspect of the present application, the response unit is specifically configured to:
extracting an attack behavior judgment rule of the target network traffic;
and writing the attack behavior judgment rule into an initial rule detection mechanism to perfect the initial rule detection mechanism.
With reference to the first possible implementation manner of the second aspect of the present application, in a second possible implementation manner of the second aspect of the present application, the response unit is further configured to:
and displaying the content of the attack behavior judgment rule.
With reference to the second aspect of the present application, in a third possible implementation manner of the second aspect of the present application, the acquiring unit is specifically configured to:
acquiring initial network traffic output by an initial rule detection mechanism;
and carrying out mirror image processing on the initial network flow while releasing the initial network flow, wherein the obtained mirror image flow is used as the target network flow.
With reference to the third possible implementation manner of the second aspect of the present application, in a fourth possible implementation manner of the second aspect of the present application, the response unit is specifically configured to:
extracting first five-tuple information of network traffic and marking an abnormal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the first five-tuple information marked with the abnormal mark, the mirror image processing is not carried out, and the blocking is directly carried out.
With reference to the third possible implementation manner of the second aspect of the present application, in a fifth possible implementation manner of the second aspect of the present application, if it is determined that the network traffic is not attack network traffic, the response unit is further configured to:
extracting second five-tuple information of the network traffic and marking a normal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the second five-tuple information marked with the normal mark, the mirror image processing is not carried out, and the current network traffic is directly released.
With reference to the second aspect of the present application, in a sixth possible implementation manner of the second aspect of the present application, the natural language processing model is specifically ChatGPT, new big or GPT-3.
In a third aspect, the present application provides a processing system comprising a processor and a memory, the memory having stored therein a computer program, the processor executing the method provided by the first aspect of the present application or any one of the possible implementations of the first aspect of the present application when calling the computer program in the memory.
In a fourth aspect, the present application provides a computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method provided in the first aspect of the present application or any one of the possible implementations of the first aspect of the present application.
From the above, the present application has the following advantages:
for the detection of the attack network traffic, after the target network traffic output by the initial rule detection mechanism is obtained, the target network traffic is continuously input into a pre-configured natural language processing model, so that the natural language processing model judges whether the network traffic is the attack network traffic or not, wherein the target network traffic is judged to be the traffic of the non-attack network traffic by the initial rule detection mechanism, the initial rule detection mechanism is the original rule detection mechanism in the network architecture, and if the network traffic is judged to be the attack network traffic, the attack network traffic response processing is initiated for the target network traffic at the moment, in the setting, a double-layer attack network traffic detection mechanism is constructed by combining the natural language processing model, and the traffic released by the original initial rule detection mechanism in the network architecture is secondarily detected by utilizing the high-precision attack behavior detection of the natural language processing model, so that the network security is further ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of an attack detection method combining a natural language processing model;
FIG. 2 is a schematic diagram of a scenario of a prior art rule detection mechanism;
FIG. 3 is a schematic view of a scenario of an attack detection method according to the present application in combination with a natural language processing model;
FIG. 4 is a schematic view of a scenario illustrating exemplary traffic flow of the present application;
FIG. 5 is a schematic view of yet another scenario of the exemplary traffic of the present application;
FIG. 6 is a schematic diagram of yet another scenario featuring exemplary traffic of the present application;
FIG. 7 is a schematic view of yet another scenario featuring exemplary traffic of the present application;
FIG. 8 is a schematic view of a scenario of the processing result of the natural language processing model of the present application;
FIG. 9 is a schematic view of another scenario of the processing result of the natural language processing model
FIG. 10 is a schematic structural diagram of an attack detection device according to the present application in combination with a natural language processing model;
FIG. 11 is a schematic diagram of a processing system according to the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or modules is not necessarily limited to those steps or modules that are expressly listed or inherent to such process, method, article, or apparatus. The naming or numbering of the steps in the present application does not mean that the steps in the method flow must be executed according to the time/logic sequence indicated by the naming or numbering, and the execution sequence of the steps in the flow that are named or numbered may be changed according to the technical purpose to be achieved, so long as the same or similar technical effects can be achieved.
The division of the modules in the present application is a logical division, and may be implemented in another manner in practical application, for example, a plurality of modules may be combined or integrated in another system, or some features may be omitted or not implemented, and in addition, coupling or direct coupling or communication connection between the modules that are shown or discussed may be through some interfaces, and indirect coupling or communication connection between the modules may be in an electrical or other similar form, which is not limited in this application. The modules or sub-modules described as separate components may or may not be physically separate, or may be distributed in a plurality of circuit modules, and some or all of the modules may be selected according to actual needs to achieve the purposes of the present application.
Before describing the attack detection method combined with the natural language processing model, the background content related to the application is first described.
The attack detection method, the attack detection device and the computer readable storage medium combined with the natural language processing model can be applied to a processing system and used for constructing a double-layer attack network flow detection mechanism combined with the natural language processing model, so that network security is further guaranteed.
The execution subject of the attack detection method combined with the natural language processing model can be an attack detection device combined with the natural language processing model or a processing system integrated with the attack detection device combined with the natural language processing model.
The attack detection device combined with the natural language processing model can be realized in a hardware or software mode, and the processing system can comprise different types of Equipment such as a gateway, a server, a physical host, user Equipment (UE) and the like, and the attack detection device can relate to network nodes in a network architecture or terminal Equipment at a User side and can be flexibly configured along with actual situations. The UE may be a terminal device such as a smart phone, a tablet computer, a notebook computer, a desktop computer, or a personal digital assistant (Personal Digital Assistant, PDA), and the processing system may also be set by a device cluster.
Next, an attack detection method combined with a natural language processing model provided in the present application will be described.
Referring to fig. 1, fig. 1 shows a flow chart of an attack detection method combined with a natural language processing model according to the present application, and the attack detection method combined with the natural language processing model according to the present application may specifically include steps S101 to S103 as follows:
Step S101, obtaining target network traffic output by an initial rule detection mechanism, wherein the target network traffic is traffic which is judged to be non-attack network traffic by the initial rule detection mechanism, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
it should be understood that, the improvement made by the present application to the prior art is not directly substituted for the rule detection mechanism deployed in the original network architecture, but is implanted into the network architecture, and cooperates with the rule detection mechanism deployed in the original network architecture to achieve the network security goal with more guarantee.
For an original rule detection mechanism in a network architecture, the original rule detection mechanism is referred to as an initial rule detection mechanism, wherein the initial rule detection mechanism can also be referred to by products such as an IPS (in-plane switching), a rule engine, a detection strategy, a detection module or a detection system, and the like, such as an intrusion detection engine such as a surica or a snort, and the like.
In the matching process of the original initial rule detection mechanism in the network architecture, the application focuses specifically on the "released" network traffic, that is, the traffic judged to be non-attack network traffic, and for the network traffic, the application marks the target network traffic as a target object for secondary detection.
Step S102, inputting the target network traffic into a pre-configured natural language processing model, so that the natural language processing model judges whether the network traffic is attack network traffic or not;
it can be appreciated that the present application specifically introduces a natural language processing (Natural Language Processing, NLP) model to perform secondary detection of attack network traffic, which is a very important branch of the field of artificial intelligence (Artificial Intelligence), and the goal is to enable a computer to understand, analyze and generate human natural language, and the present application applies it to an attack behavior analysis task of network traffic, where the security detection flexibility is high and the confidence is strong.
The natural language processing model is preconfigured with an analysis strategy for analyzing whether the network traffic has an aggression based on natural language or whether the network traffic is an aggressive network traffic based on natural language, in specific application, the input processing of the target network traffic can be completed in a form of calling a model interface, and after the target network traffic is input by the natural language processing model, the judgment analysis of the aggressive network traffic can be performed, and the judgment result is output.
The natural language processing model adopted in the application can be specifically a model such as ChatGPT, new Bing or GPT-3.
Step S103, if the target network traffic is determined to be the attack network traffic, the attack network traffic response process is initiated for the target network traffic.
Obviously, if the natural language processing model judges that the target network traffic is the attack network traffic, the original initial rule detection mechanism in the network architecture is complemented once, and the target network traffic which is mistakenly identified as the normal traffic is identified, so that corresponding attack network traffic response processing can be initiated on the target network traffic which is currently judged as the attack network traffic according to the response requirement on the attack network traffic.
The attack network traffic response processing referred to herein may respond according to an existing response manner, or may also perform a corresponding optimization design in a specific application, so as to achieve a better response effect, and may be configured according to actual needs.
As can be seen from the foregoing embodiment, for the detection of the attack network traffic, after the target network traffic output by the initial rule detection mechanism is obtained, the application continuously inputs the target network traffic into the pre-configured natural language processing model, so that the natural language processing model determines whether the network traffic is the attack network traffic, where the target network traffic is the traffic of the initial rule detection mechanism determined to be the non-attack network traffic, and the initial rule detection mechanism is the original rule detection mechanism in the network architecture, and if the network traffic is determined to be the attack network traffic, then an attack network traffic response process is initiated for the target network traffic.
The steps of the embodiment shown in fig. 1 and the possible implementation thereof in practical applications will be described in detail.
In the foregoing, it has been mentioned that, for the attack network traffic response processing related to the present application, besides directly using the response content in the prior art, the corresponding optimization design can be performed in a specific application, and for the dual-layer attack network traffic detection mechanism obtained by combining the existing detection rule mechanism and the natural language processing model in the network architecture, the more practical attack network traffic response processing that can be configured in the practical application is introduced.
As a practical implementation manner, in the process of initiating the attack network traffic response process for the target network traffic in step S103, the following may be specifically included:
extracting an attack behavior judgment rule of the target network traffic;
and writing the attack behavior judgment rule into an initial rule detection mechanism to perfect the initial rule detection mechanism.
It can be understood that the natural language processing model has better language expression capability, so that in the case that the target network traffic is judged to have the characteristic of attack behavior and is attack network traffic, the attack behavior judgment rule of the target network traffic can be extracted and output, and judgment logic/basis for judging the attack behavior is given, so that the attack behavior judgment rule is written into the original initial rule detection mechanism in the network architecture, and the effect of updating the initial rule detection mechanism can be achieved.
Under the setting, the corresponding detection rules generated by the natural language processing model are helpful to cause the initial rule detection mechanism to be blocked directly when the same kind of attack is encountered later, thus improving the safety protection efficiency, playing the role of continuously improving the network safety and achieving the self-adaptive safety.
In addition, the setting is aimed at real safety events, compared with the situation that the original rule detection mechanism provides a large number of redundant rules and aims at avoiding any attack to cause a large number of false alarms, the setting also has very high accuracy and pertinence, and plays a role in high-accuracy updating and optimizing.
Besides, besides optimizing the original rule detection mechanism in the prior art at the software level, the judging process of the attack network flow by the natural language processing model can be considered from the product point of view, and is realized based on natural language, so that the method has better visual characteristics, and the judging logic/basis of the judging why the attack behavior is judged can be presented to the user in the form of natural language, so that the principle involved in the judging process can be presented for the user, the reliability of the system is improved, and the learning and learning of the user are facilitated.
Correspondingly, after the attack behavior determination rule of the target network traffic is extracted, as another practical implementation manner, the method of the application may further include the following steps:
and displaying the content of the attack behavior judgment rule.
The display screen (including the touch screen) involved in the display process can be a display screen of the equipment, or can be a display screen externally connected with the equipment, or can be directly related equipment with the display screen.
In addition, the display process can be performed locally, and the remote display effect can be realized by pushing or cloud service.
In addition, in order to facilitate better implanting the scheme related to the present application into a specific application scenario, as yet another implementation manner suitable for practical use, in the process of obtaining the target network traffic output by the initial rule detection mechanism in step S101, the method specifically may include:
acquiring initial network traffic output by an initial rule detection mechanism;
and carrying out mirror image processing on the initial network flow while releasing the initial network flow, wherein the obtained mirror image flow is used as the target network flow.
It can be seen that a mirroring mechanism is introduced here, so that the original network traffic subjected to the natural language processing model for secondary detection still continues to be processed normally according to the original transmission/processing mode, but the original network traffic is not directly caused to suspend transmission/processing to wait for secondary detection, so that the network efficiency is not affected.
Meanwhile, the natural language processing model is used for carrying out secondary detection on the mirror image flow, so that the detection duration/processing efficiency can be properly relaxed, deeper attack behavior detection based on natural language is facilitated, and further higher detection accuracy can be promoted.
In practical application, the mirroring process may be generally performed by a configured traffic mirroring module/node.
On the basis of the mirror image processing, the method and the device can be combined with the attack network flow response processing to configure a more practical implementation mode.
Specifically, step S103 initiates attack network traffic response processing for the target network traffic, and may further include the following:
extracting first five-tuple information of network traffic and marking an abnormal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the first five-tuple information marked with the abnormal mark, the mirror image processing is not carried out, and the blocking is directly carried out.
It can be understood that in response, the response processing of the corresponding traffic can be directly performed with respect to the quintuple information, if the network traffic with the same quintuple as the current attack network traffic exists, the network traffic can be directly considered as the attack network traffic, and the reference and the guidance can be provided by marking the quintuple information marked with the abnormal mark, so that the subsequent mirror image processing of the network traffic is not performed, unnecessary secondary detection is not performed by a natural language processing model, the overall processing efficiency is ensured, meanwhile, the current network traffic can be directly blocked, and the traffic is discarded, so that the original transmission/processing is not continued.
It should be noted that, the current network traffic has the first quintuple information marked with the abnormal mark, which is not that the quintuple information of the current network traffic is marked with the abnormal mark, but the quintuple information is recorded at the mirror image processing node and is marked with the abnormal mark, so that whether the network traffic waiting for the mirror image processing currently has the quintuple information marked with the abnormal mark can be determined through the matching of the quintuple information.
In addition, the above relates to the case where the target network traffic is determined as the attack network traffic by the natural language processing model, and the present application is based on the mirror image processing, and there is also a related optimization design for the case where the target network traffic is determined as the normal network traffic by the natural language processing model.
Specifically, after step S102, if it is determined that the network traffic is not attack network traffic, the method may further include:
extracting second five-tuple information of the network traffic and marking a normal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the second five-tuple information marked with the normal mark, the mirror image processing is not carried out, and the current network traffic is directly released.
It can be seen that the setting is similar to the foregoing marking of the abnormal five-tuple information, and the five-tuple information is considered to be the normal network traffic for the network traffic judged to be normal by the natural language processing model, so that the subsequent mirroring process can directly ignore the network traffic with the five-tuple information marked with the normal mark and directly release the network traffic to continue the original transmission/processing, thereby taking account of network security and processing efficiency.
Through the application of the marks in the two aspects, the good effect that the trusted traffic does not carry out redundant detection and the untrusted traffic carries out key judgment can be achieved.
Naturally, besides the marking of the five-tuple information, the marking can also be performed by other formats of marking bits, and the marking is particularly required to be adjusted according to actual situations.
For ease of understanding, for each of the above exemplary arrangements, a more visual understanding may also be made in connection with one scene diagram of the prior art rule detection mechanism shown in fig. 2 and one scene diagram of the attack detection method of the present application in connection with a natural language processing model shown in fig. 3.
As can be seen from fig. 3, the present application introduces a series of finer decision and response processing of attacking network traffic by combining the mirror traffic module with the natural language processing model, aiming at the network traffic released by the existing initial rule detection mechanism in the network architecture.
On the basis of fig. 3, reference may also be made to a set of examples in the practical application given below to aid understanding.
1. Rules engine parsing traffic (initial rule detection mechanism)
The original flow passes through the rule engine, the original IPS flow is carried out, the attack network flow is identified to be directly blocked, and otherwise, the attack network flow is released.
The rules engine includes the "traffic parsing", "rule matching", blocking and unblocking treatment action parts in fig. 3.
The rule engine can analyze the original flow as important field data, then carries out rule matching, and if the rule can be matched, the rule engine can indicate that the message has attack behavior; if no match can be made, this message risk is indicated to be low.
As an example, traffic received by the rules engine may be as a schematic of one scenario of the present application exemplary traffic shown in fig. 4.
The rule engine may group traffic by session, and the messages in the same group are typically request response messages of the same five-tuple, as shown in fig. 5, which is yet another scenario diagram of the exemplary traffic of the present application.
The rules engine will disassemble the traffic in the protocol hierarchy until all fields are parsed out, as shown in fig. 6, which is yet another scenario diagram of the exemplary traffic of the present application.
The rules engine will extract the plaintext requests at the application layer therein as the content to be detected, as is a further scene diagram of the exemplary traffic of the present application as shown in fig. 7.
2. Flow mirror module
For the traffic which is not identified as attack, the traffic is mirrored by the traffic mirroring module and sent to the natural language processing model interface while passing, the traffic mirroring module identifies the mark bit of each session, and the second behavior takes the value as follows, and the third behavior is exemplified:
| Five-tuple | Status of | Action |
| Source IP, source port, destination IP, destination port, protocol | Abnormality |normal | Blocking of the discharge |
| 113.25.35.6,8808,192.168.2.25,443,https | Abnormality of | Put through |
For newly built traffic, the flag bit may default to abnormal and cleared.
If an attack is detected after passing to the natural language processing model interface, then the label is: abnormal, blocked. Then the traffic for the subsequent session for that five-tuple is discarded directly and no longer released.
If no attack is detected after the natural language processing model interface is transmitted, the mark is normal and the communication is carried out. Then the traffic for the subsequent five-tuple session can be passed directly.
3. Natural language processing model attack judging module
The attack judging module of ChatGPT, new Bing or GPT-3 and the like can call an openai related API interface, and the natural language processing models of ChatGPT, new Bing or GPT-3 and the like can carry out attack judgment by using a questioning mode, wherein the schematic codes are as follows:
through the functions, the effect of asking questions to the natural language processing models such as ChatGPT and the like can be achieved, and a scene diagram of the processing result of the natural language processing model in the application is shown in fig. 8.
The natural language processing models such as ChatGPT and the like can return a clear conclusion of whether an attack behavior exists or not and behavior description, so that one attack judgment is completed.
For a large number of requests to be judged, the requests can be stored in a buffer queue, and then attack interpretation is carried out by a natural language processing model such as ChatGPT, and example codes are as follows:
through similar code flow, batch message attack detection can be realized, for example, log display content after a period of detection is "15225 messages detected, 14892 attacks are identified, and detection rate is: 97.81% ".
4. Flow marking module
The flow marking module comprises two actions of 'abnormal flow marking' and 'normal flow marking' in fig. 3, and is mainly responsible for judging feedback of a natural language processing model, and marking a flow quintuple with a marking bit, wherein the second behavior takes a value as shown in the following table, and the third behavior is exemplified by:
| five-tuple | Status of | Action |
| Source IP, source port, destination IP, destination port, protocol | Abnormality |normal | Blocking of the discharge |
| 113.25.35.6,58322,192.168.2.25,443,https | Abnormality of | Put through |
| 113.25.35.6,58808,192.168.2.25,80,http | Normal state | Put through |
5. Rule generation module
For the flow judged as attack, the natural language processing model can generate rules, such as a scene diagram of the processing result of the natural language processing model shown in fig. 9, the rules are written into the previous rule detection engine, and after the rule engine carries out heat loading, the same message is detected quickly next time, so that the quick recognition and blocking of the same attack next time can be realized.
The above description is provided for the attack detection method combined with the natural language processing model, and in order to facilitate better implementation of the attack detection method combined with the natural language processing model provided by the application, the application also provides an attack detection device combined with the natural language processing model from the perspective of a functional module.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an attack detection device combined with a natural language processing model according to the present application, in which an attack detection device 1000 combined with a natural language processing model may specifically include the following structure:
an obtaining unit 1001, configured to obtain a target network traffic output by an initial rule detection mechanism, where the target network traffic is a traffic determined by the initial rule detection mechanism to be a non-attack network traffic, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
an input unit 1002, configured to input a target network traffic into a pre-configured natural language processing model, so that the natural language processing model determines whether the network traffic is an attack network traffic;
and a response unit 1003, configured to initiate attack network traffic response processing for the target network traffic if it is determined that the target network traffic is attack network traffic.
In an exemplary implementation, the response unit 1003 is specifically configured to:
extracting an attack behavior judgment rule of the target network traffic;
and writing the attack behavior judgment rule into an initial rule detection mechanism to perfect the initial rule detection mechanism.
In yet another exemplary implementation, the response unit 1003 is further configured to:
and displaying the content of the attack behavior judgment rule.
In yet another exemplary implementation, the obtaining unit 1001 is specifically configured to:
acquiring initial network traffic output by an initial rule detection mechanism;
and carrying out mirror image processing on the initial network flow while releasing the initial network flow, wherein the obtained mirror image flow is used as the target network flow.
In yet another exemplary implementation, the response unit 1003 is specifically configured to:
extracting first five-tuple information of network traffic and marking an abnormal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the first five-tuple information marked with the abnormal mark, the mirror image processing is not carried out, and the blocking is directly carried out.
In yet another exemplary implementation, if it is determined that the network traffic is not attack network traffic, the response unit 1003 is further configured to:
Extracting second five-tuple information of the network traffic and marking a normal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the second five-tuple information marked with the normal mark, the mirror image processing is not carried out, and the current network traffic is directly released.
In yet another exemplary implementation, the natural language processing model is embodied as ChatGPT, new Bing, or GPT-3.
The present application further provides a processing system from a hardware structure perspective, for convenience of explanation, and referring to fig. 11, fig. 11 shows a schematic structural diagram of the processing system of the present application, specifically, the processing system of the present application may include a processor 1101, a memory 1102, and an input/output device 1103, where the processor 1101 is configured to implement steps of an attack detection method in combination with a natural language processing model in the corresponding embodiment of fig. 1 when executing a computer program stored in the memory 1102; alternatively, the processor 1101 is configured to implement functions of each unit in the corresponding embodiment of fig. 10 when executing a computer program stored in the memory 1102, and the memory 1102 is configured to store a computer program required for the processor 1101 to execute the attack detection method in combination with the natural language processing model in the corresponding embodiment of fig. 1.
By way of example, a computer program may be partitioned into one or more modules/units that are stored in the memory 1102 and executed by the processor 1101 to complete the present application. One or more of the modules/units may be a series of computer program instruction segments capable of performing particular functions to describe the execution of the computer program in a computer device.
The processing system may include, but is not limited to, a processor 1101, a memory 1102, and an input output device 1103. Those skilled in the art will appreciate that the illustrations are merely examples of processing systems and are not limiting of processing systems, and that more or fewer components than shown may be included, or certain components may be combined, or different components may be included, for example, a processing system may also include network access devices, buses, etc., with the processor 1101, memory 1102, input output device 1103, etc. being connected by a bus.
The processor 1101 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like that is a control center of a processing system that utilizes various interfaces and lines to connect the various parts of the overall device.
The memory 1102 may be used to store computer programs and/or modules, and the processor 1101 implements various functions of the computer device by running or executing the computer programs and/or modules stored in the memory 1102 and invoking data stored in the memory 1102. The memory 1102 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, application programs required for at least one function, and the like; the storage data area may store data created according to the use of the processing system, etc. In addition, the memory may include high-speed random access memory, and may also include non-volatile memory, such as a hard disk, memory, plug-in hard disk, smart Media Card (SMC), secure Digital (SD) Card, flash Card (Flash Card), at least one disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 1101 is configured to execute the computer program stored in the memory 1102, and specifically implement the following functions:
obtaining target network traffic output by an initial rule detection mechanism, wherein the target network traffic is the traffic of which the initial rule detection mechanism judges as non-attack network traffic, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
Inputting the target network traffic into a pre-configured natural language processing model, so that the natural language processing model judges whether the target network traffic is attack network traffic or not;
if the target network traffic is determined to be the attack network traffic, initiating attack network traffic response processing aiming at the target network traffic.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the attack detection device, the processing system and the corresponding units of the foregoing description that are combined with the natural language processing model may refer to the description of the attack detection method that is combined with the natural language processing model in the corresponding embodiment of fig. 1, and details are not repeated herein.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
For this reason, the present application provides a computer readable storage medium, in which a plurality of instructions capable of being loaded by a processor are stored, so as to execute the steps of the attack detection method according to the corresponding embodiment of fig. 1, and specific operations may refer to the description of the attack detection method according to the corresponding embodiment of fig. 1, and are not repeated herein.
Wherein the computer-readable storage medium may comprise: read Only Memory (ROM), random access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Since the instructions stored in the computer readable storage medium may perform the steps of the attack detection method according to the embodiment of fig. 1, the beneficial effects of the attack detection method according to the embodiment of fig. 1, which is implemented by the attack detection method according to the embodiment of fig. 1, are described in detail in the foregoing, and will not be described herein.
The foregoing has described in detail the methods, apparatus, processing systems and computer readable storage media for attack detection in conjunction with natural language processing models provided herein, and specific examples have been presented herein to illustrate the principles and implementations of the present application, the above examples being provided only to assist in understanding the methods and core ideas of the present application; meanwhile, those skilled in the art will have variations in the specific embodiments and application scope in light of the ideas of the present application, and the present description should not be construed as limiting the present application in view of the above.
Claims (10)
1. An attack detection method in combination with a natural language processing model, the method comprising:
obtaining target network traffic output by an initial rule detection mechanism, wherein the target network traffic is traffic which is judged to be non-attack network traffic by the initial rule detection mechanism, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
inputting the target network traffic into a pre-configured natural language processing model, so that the natural language processing model judges whether the target network traffic is attack network traffic or not;
and if the target network traffic is judged to be the attack network traffic, initiating attack network traffic response processing aiming at the target network traffic.
2. The method of claim 1, wherein the initiating an attack network traffic response process for the target network traffic comprises:
extracting an attack behavior judgment rule of the target network flow;
writing the attack behavior judgment rule into the initial rule detection mechanism to perfect the initial rule detection mechanism.
3. The method of claim 2, wherein after the extracting the attack activity determination rule of the target network traffic, the method further comprises:
And displaying the content of the attack behavior judgment rule.
4. The method of claim 1, wherein the obtaining the initial network traffic output by the initial rule detection mechanism comprises:
acquiring initial network traffic output by the initial rule detection mechanism;
and carrying out mirror image processing on the initial network flow while releasing the initial network flow, wherein the obtained mirror image flow is used as the target network flow.
5. The method of claim 4, wherein the initiating an attack network traffic response process for the target network traffic comprises:
extracting first quintuple information of the network traffic and marking an abnormal mark;
and when the subsequent mirror image processing is carried out, if the current network traffic has the first five-tuple information marked with the abnormality mark, the mirror image processing is not carried out, and the blocking is directly carried out.
6. The method of claim 4, wherein if the network traffic is determined not to be attacking network traffic, the method further comprises:
extracting second quintuple information of the network traffic and marking a normal mark;
and when the subsequent mirror image processing is carried out, if the second five-tuple information marked with the normal mark exists in the current network flow, the mirror image processing is not carried out, and the current network flow is directly released.
7. The method according to claim 1, wherein the natural language processing model is specifically ChatGPT, new big or GPT-3.
8. An attack detection device incorporating a natural language processing model, the device comprising:
the acquisition unit is used for acquiring the target network traffic output by the initial rule detection mechanism, wherein the target network traffic is the traffic which is judged to be non-attack network traffic by the initial rule detection mechanism, and the initial rule detection mechanism is an original rule detection mechanism in a network architecture;
an input unit, configured to input the target network traffic into a pre-configured natural language processing model, so that the natural language processing model determines whether the network traffic is attack network traffic;
and the response unit is used for initiating attack network flow response processing aiming at the target network flow if the target network flow is judged to be the attack network flow.
9. A processing system comprising a processor and a memory, the memory having stored therein a computer program, the processor performing the method of any of claims 1 to 7 when the computer program in the memory is invoked by the processor.
10. A computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310282395.8A CN116319005A (en) | 2023-03-21 | 2023-03-21 | Attack detection method, device and processing system combined with natural language processing model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310282395.8A CN116319005A (en) | 2023-03-21 | 2023-03-21 | Attack detection method, device and processing system combined with natural language processing model |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116319005A true CN116319005A (en) | 2023-06-23 |
Family
ID=86779492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310282395.8A Pending CN116319005A (en) | 2023-03-21 | 2023-03-21 | Attack detection method, device and processing system combined with natural language processing model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116319005A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| CN112398779A (en) * | 2019-08-12 | 2021-02-23 | 中国科学院国家空间科学中心 | Network traffic data analysis method and system |
| CN113312622A (en) * | 2021-06-09 | 2021-08-27 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Method and device for detecting URL (Uniform resource locator) |
| US20210273954A1 (en) * | 2020-02-28 | 2021-09-02 | International Business Machines Corporation | Artificially intelligent security incident and event management |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
| CN113722641A (en) * | 2021-08-30 | 2021-11-30 | 平安国际智慧城市科技股份有限公司 | AI-based injection request protection method, device, terminal equipment and medium |
| KR20220081145A (en) * | 2020-12-08 | 2022-06-15 | 상명대학교산학협력단 | AI-based mysterious symptom intrusion detection and system |
| KR20220151050A (en) * | 2021-05-04 | 2022-11-14 | 엘아이지넥스원 주식회사 | Network intrusion detection system and network intrusion detection method |
| WO2023283697A1 (en) * | 2021-07-16 | 2023-01-19 | Cyber Security Research Centre Limited | "cyber security" |
-
2023
- 2023-03-21 CN CN202310282395.8A patent/CN116319005A/en active Pending
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| WO2021008028A1 (en) * | 2019-07-18 | 2021-01-21 | 平安科技(深圳)有限公司 | Network attack source tracing and protection method, electronic device and computer storage medium |
| CN112398779A (en) * | 2019-08-12 | 2021-02-23 | 中国科学院国家空间科学中心 | Network traffic data analysis method and system |
| US20210273954A1 (en) * | 2020-02-28 | 2021-09-02 | International Business Machines Corporation | Artificially intelligent security incident and event management |
| CN113472721A (en) * | 2020-03-31 | 2021-10-01 | 华为技术有限公司 | Network attack detection method and device |
| WO2021196691A1 (en) * | 2020-03-31 | 2021-10-07 | 华为技术有限公司 | Method and apparatus for detecting network attack |
| KR20220081145A (en) * | 2020-12-08 | 2022-06-15 | 상명대학교산학협력단 | AI-based mysterious symptom intrusion detection and system |
| KR20220151050A (en) * | 2021-05-04 | 2022-11-14 | 엘아이지넥스원 주식회사 | Network intrusion detection system and network intrusion detection method |
| CN113312622A (en) * | 2021-06-09 | 2021-08-27 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Method and device for detecting URL (Uniform resource locator) |
| WO2023283697A1 (en) * | 2021-07-16 | 2023-01-19 | Cyber Security Research Centre Limited | "cyber security" |
| CN113722641A (en) * | 2021-08-30 | 2021-11-30 | 平安国际智慧城市科技股份有限公司 | AI-based injection request protection method, device, terminal equipment and medium |
Non-Patent Citations (2)
| Title |
|---|
| 苗春雨等: "《云计算安全关键技术原理及应用(网络空间安全技术丛书)》", 30 April 2022, pages: 18 * |
| 薛静锋等: "《入侵检测技术(国家信息化安全教育认证(ISEC)系列教材)》", 30 April 2004, pages: 97 - 98 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10516671B2 (en) | Black list generating device, black list generating system, method of generating black list, and program of generating black list | |
| US11429625B2 (en) | Query engine for remote endpoint information retrieval | |
| US11314862B2 (en) | Method for detecting malicious scripts through modeling of script structure | |
| RU2610254C2 (en) | System and method of determining modified web pages | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| Song et al. | Advanced evasion attacks and mitigations on practical ML‐based phishing website classifiers | |
| CN109246064B (en) | Method, device and equipment for generating security access control and network access rule | |
| Wang et al. | Automatically Traceback RDP‐Based Targeted Ransomware Attacks | |
| US11463459B2 (en) | Network security intrusion detection | |
| US20040205411A1 (en) | Method of detecting malicious scripts using code insertion technique | |
| CN109413016B (en) | Rule-based message detection method and device | |
| KR20180081053A (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| CN113364750B (en) | Method for inducing APT attack to introduce honeypots based on Snort and OpenFlow heuristic method | |
| Liu et al. | Prompt injection attacks and defenses in llm-integrated applications | |
| CN113556343B (en) | DDoS attack defense method and device based on browser fingerprint identification | |
| KR102280845B1 (en) | Method and apparatus for detecting abnormal behavior in network | |
| Mishra et al. | Intelligent phishing detection system using similarity matching algorithms | |
| RU2659482C1 (en) | Protection of web applications with intelligent network screen with automatic application modeling | |
| Wan et al. | An improved eliminating SQL injection attacks based regular expressions matching | |
| Khan et al. | A dynamic method of detecting malicious scripts using classifiers | |
| CN116319005A (en) | Attack detection method, device and processing system combined with natural language processing model | |
| US11425092B2 (en) | System and method for analytics based WAF service configuration | |
| Liljebjörn et al. | Mantis the black-box scanner: Finding XSS vulnerabilities through parse errors | |
| Ali et al. | An approach for deceptive phishing detection and prevention in social networking sites using data mining and wordnet ontology | |
| Calvo et al. | An Adaptive Web Application Firewall. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |