CN116846568A - A network attack detection method and related equipment - Google Patents

Abstract

This application discloses a network attack detection method. The method includes: obtaining the content to be detected corresponding to the network data; transforming at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtaining at least one morpheme corresponding to the content to be detected. A target morpheme; calculate the first correlation between each target morpheme in at least one target morpheme and the preset corpus; obtain a network attack detection result based on the first correlation corresponding to each target morpheme. Through this network attack detection method, the detection accuracy of network attacks can be improved.

Description

A network attack detection method and related equipment

Technical field

This application relates to the field of network security technology, specifically to a network attack detection method and related equipment.

Background technique

With the continuous development of network technology, network information security has also received more and more attention.

Currently, a common method of network attack is for hackers to obtain the operating permissions of the server through a web backdoor (webshell), thereby controlling the server to perform operations such as uploading and downloading files, viewing databases, and executing arbitrary program commands.

The traditional network attack detection method usually identifies whether the network data contains function names such as "assert" and "eval" to determine whether there is a network attack. However, this detection method is difficult to identify attack commands that do not contain obvious attack functions. Therefore, it is difficult to identify the webshell code modified by hackers through obfuscation, bypassing, encryption, etc., resulting in a low detection accuracy of network attacks.

Contents of the invention

This application provides a network attack detection method to improve the detection accuracy of network attacks. This application also provides corresponding devices, equipment, computer-readable storage media, computer program products, etc.

The first aspect of this application provides a network attack detection method. The method includes: obtaining the content to be detected corresponding to the network data; transforming at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtaining the content corresponding to the content to be detected. at least one target morpheme; calculate the first correlation between each target morpheme in the at least one target morpheme and the preset corpus; and obtain the network attack detection result based on the first correlation corresponding to each target morpheme.

In the first aspect, after obtaining the content to be detected corresponding to the network data, at least one morpheme in the content to be detected can be transformed according to the grammatical structure of the content to be detected, and at least one target morpheme corresponding to the content to be detected is obtained. In this way, According to the grammatical structure of the content to be detected, the content in the content to be detected that has been processed by obfuscation, bypassing, etc. can be identified and transformed to obtain at least one target morpheme. Then, the first correlation between each target morpheme in at least one target morpheme and the preset corpus can be calculated, and then the network attack detection result can be obtained based on the first correlation corresponding to each target morpheme, thereby making full use of attack corpus, etc. Preset corpus information is used to detect whether the morphemes obtained after transformation and restoration are related to network attack behaviors, so as to obtain more accurate network attack detection results.

In a possible implementation of the first aspect, the above step: obtaining the content to be detected corresponding to the network data includes: obtaining metadata of the network data. The metadata includes request message information, response message information and unified resource location. One or more of the system URLs; obtain the content to be detected based on metadata.

In this possible implementation, the request message information includes a request message header and/or a request message body, and the response message information includes a response message header and/or a response message body. With the continuous development of network technology, the amount of network data generated by users is usually large, making it difficult to identify network attacks from network data. In this possible implementation, considering that information related to network attacks is usually hidden in the metadata of network data, the content to be detected is obtained from the metadata of network data. Since the amount of metadata is usually small, the content to be detected corresponding to the network data can be obtained more efficiently and quickly from the metadata.

In a possible implementation of the first aspect, the above steps: obtaining the content to be detected according to the metadata, including: extracting key-value pair data from the metadata, and the key-value pair data is used to indicate the value corresponding to the key; Obtain the content to be detected based on the value in the key-value pair data.

In this possible implementation, information related to network attacks is often included in the assignment information in the metadata. Therefore, the key-value pair data can be extracted from the metadata, and then the key-value pair data may be extracted from the key-value pair data that may involve network attacks. Assignment information to obtain the content to be detected.

In a possible implementation of the first aspect, the above steps: convert at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtain at least one target morpheme corresponding to the content to be detected, including: according to the content to be detected Detect the grammatical structure of the content, transform at least one morpheme in the content to be detected, and obtain the first information; determine the candidate morpheme from the first information according to the type of the morpheme in the first information; obtain at least one target morpheme based on the candidate morpheme .

In this possible implementation, methods such as syntax tree parsing technology can be used to parse the content to be detected, determine the grammatical structure of the content to be detected, and identify the sentence components in the content to be detected and the correlation between the sentence components. According to the grammatical structure of the content to be detected, the first information can be obtained by transforming at least one morpheme in the content to be detected based on the calling relationship and/or encoding information of variables in the content to be detected. Then, the type of the morpheme in the first information can be determined through lexical analysis or other methods. For example, variables and corresponding variable types, parameters and corresponding parameter types, operators and corresponding parameters can be identified from the first information. Operator types, etc.

After obtaining the type of the morpheme in the first information, candidate morphemes may be determined from the first information according to the type of the morpheme in the first information. Wherein, types related to network attacks can be screened out from the first information according to the types of morphemes in the first information. For example, variables and String type parameters can be filtered out from the first information.

After obtaining the candidate morpheme, the candidate morpheme can be used as the target morpheme, or the candidate morpheme can be further processed to obtain the target morpheme. For example, if some candidate morphemes also undergo deformation processing such as string splitting, truncation and reorganization, the candidate morpheme can be reorganized to restore it to the morpheme before the deformation processing, and then the restoration to the morpheme before the deformation processing is used as the target morpheme. For example, for the candidate morpheme 'ass'.'ert', it can be reorganized based on the semantic information to obtain "assert" as the target morpheme.

In a possible implementation of the first aspect, the method further includes: determining a weight corresponding to each target morpheme in at least one target morpheme according to at least one preset keyword; the above step: according to the weight corresponding to each target morpheme Obtaining network attack detection results based on the first correlation includes: obtaining network attack detection results based on the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme.

In this possible implementation, the preset keywords usually include some key morphemes used in network attacks (such as function names and parameter names used in network attacks, etc.). Therefore, the target morphemes are determined by matching the target morphemes and the preset keywords. The weight of the target morpheme can largely reflect the importance of the target morpheme in the code corresponding to the network attack, so that network attack detection can be carried out more accurately based on the weight.

In a possible implementation of the first aspect, the above steps: obtaining a network attack detection result according to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, including: according to the corresponding first correlation of each target morpheme The first correlation and the weight corresponding to each target morpheme are used to obtain the second correlation corresponding to the content to be detected; the network attack detection result is obtained based on the ratio of the second correlation to the sum of the weights corresponding to the content to be detected.

In this possible implementation, for each preset corpus, the first correlation between each target morpheme in at least one target morpheme and the preset corpus can be calculated, and then based on each target morpheme in at least one target morpheme The first correlation with the preset corpus is used to obtain the second correlation between the content to be detected and the preset corpus, so that the network attack detection result is obtained based on the second correlation between the content to be detected and each preset corpus. Among them, the network attack detection result can be obtained according to the ratio of the second correlation and the sum of weights corresponding to the content to be detected. In this way, uncommon content or content that cannot be identified through key functions can be more accurately detected.

In a possible implementation of the first aspect, the first correlation is determined based on the highest similarity between the corresponding target morpheme and the morpheme in the corresponding preset corpus and the target ratio. The target ratio is used to describe the corresponding preset corpus. The difference between the length and the length of the content to be detected.

In this possible implementation, the highest similarity between the corresponding target morpheme and the morpheme in the corresponding preset corpus refers to the highest similarity among the similarities between the corresponding target morpheme and each morpheme in the corresponding preset corpus. The highest similarity can reflect the probability of the target morpheme appearing in the preset corpus. If the highest similarity is high, it means that the target morpheme has a greater probability of appearing in the preset corpus. The target morpheme is similar to This default corpus is more relevant. The target ratio is used to describe the difference between the length of the corresponding preset corpus and the length of the content to be detected. It can be seen that the target ratio can reflect the difference between the corresponding preset corpus and the content to be detected to a certain extent. Therefore, in this possible implementation method, both the highest similarity and the target ratio are used as influencing factors of the first correlation, which can avoid the situation that although individual morphemes in the preset corpus are similar to the target morpheme, the overall content of the preset corpus Detection errors caused by large differences with the content to be detected.

In a possible implementation of the first aspect, the method further includes: outputting a network attack detection result, where the network attack detection result includes code information obtained based on at least one target morpheme.

In this possible implementation, if the content to be detected is regarded as the content obtained after processing the code information through the specified transformation method, then the code information obtained based on at least one target morpheme can be considered as the content before processing through the specified transformation method. , can also be understood as the content after the content to be detected is restored based on the deformation method. In this way, the code information can reflect the actual functions, parameters and/or other untransformed information used to perform the cyber attack.

The network attack detection results can be output in one or more of the following two ways: 1. Output the network attack detection results to other devices through computer equipment; 2. Display the network attack detection results through computer equipment.

A second aspect of this application provides a network attack detection device, which has the function of implementing the method of the above-mentioned first aspect or any possible implementation of the first aspect. This function can be implemented by hardware, or it can be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above functions, such as an acquisition module, a processing module, a calculation module and a detection module.

A third aspect of the present application provides a computer device. The computer device includes at least one processor, a memory, and computer-executable instructions stored in the memory and executable on the processor. When the computer-executed instructions are executed by the processor, the processor Execute the method of the above first aspect or any possible implementation of the first aspect.

A fourth aspect of the present application provides a computer-readable storage medium that stores one or more computer-executable instructions. When the computer-executable instructions are executed by a processor, the processor executes any of the above-mentioned first aspects or possible methods of the first aspect. Ways to implement it.

A fifth aspect of the present application provides a computer program product that stores one or more computer-executable instructions. When the computer-executable instructions are executed by a processor, the processor executes the above-mentioned first aspect or any possible implementation of the first aspect. Methods.

A sixth aspect of the present application provides a chip system. The chip system includes a processor and is used to support the computer device to implement the functions involved in the above-mentioned first aspect or any possible implementation manner of the first aspect. In a possible design, the chip system may also include a memory, which is used to store necessary program instructions and data for the computer device. The chip system may be composed of chips, or may include chips and other discrete devices.

Among them, the technical effects brought by the second to sixth aspects or any one of the possible implementation methods may be referred to the technical effects brought by the first aspect or the related possible implementation methods of the first aspect, which will not be described again here.

Description of the drawings

Figure 1a is an exemplary schematic diagram of the system framework provided by the embodiment of the present application;

Figure 1b is another exemplary schematic diagram of the system framework provided by the embodiment of the present application;

Figure 1c is another exemplary schematic diagram of the system framework provided by the embodiment of the present application;

Figure 2 is an exemplary schematic diagram of a network attack detection method provided by an embodiment of the present application;

Figure 3 is an exemplary schematic diagram of the morpheme transformation process provided by the embodiment of the present application;

Figure 4 is another exemplary schematic diagram of the morpheme conversion process provided by the embodiment of the present application;

Figure 5 is a schematic diagram of an embodiment of a network attack detection device provided by an embodiment of the present application;

FIG. 6 is a schematic structural diagram of a computer device provided by an embodiment of the present application.

Detailed ways

The embodiments of the present application will be described below with reference to the accompanying drawings. Obviously, the described embodiments are only part of the embodiments of the present application, rather than all the embodiments. Persons of ordinary skill in the art will know that with the development of technology and the emergence of new scenarios, the technical solutions provided in the embodiments of this application are also applicable to similar technical problems.

In this application, "at least one" refers to one or more, and "plurality" refers to two or more. "And/or" describes the relationship between associated objects, indicating that there can be three relationships, for example, A and/or B, which can mean: A exists alone, A and B exist simultaneously, and B exists alone, where A, B can be singular or plural. The character "/" generally indicates that the related objects are in an "or" relationship. "At least one of the following" or similar expressions thereof refers to any combination of these items, including any combination of single or plural items. The terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that the terms so used are interchangeable under appropriate circumstances, and are merely a way of distinguishing objects with the same attributes in describing the embodiments of the present application. Furthermore, the terms "include" and "having" and any variations thereof, are intended to cover non-exclusive inclusions, such that a process, method, system, product or apparatus comprising a series of elements need not be limited to those elements, but may include not explicitly other elements specifically listed or inherent to such processes, methods, products or equipment.

For network attacks through web backdoors (webshells) and other methods, traditional network attack detection methods usually identify whether the network data contains function names such as "assert" and "eval" to determine whether there is a network attack. However, this detection method is difficult to identify attack commands that do not contain obvious attack functions. Therefore, it is difficult to identify the webshell code modified by hackers through obfuscation, bypassing, encryption, etc., resulting in a low detection accuracy of network attacks.

In this regard, embodiments of the present application provide a network attack detection method to improve the detection accuracy of network attacks.

The embodiments of the present application can be applied to computer equipment.

The computer equipment can be of many types. For example, the computer device may be a terminal device or a cloud device.

In one example, the computer device is a cloud device. Cloud devices can be servers, server clusters, virtual machines or containers. Cloud devices can have data storage and computing capabilities, and can provide users with cloud services related to network attack detection.

Among them, the types of users who need to perform network attack detection are not limited here. For example, the cloud device can provide cloud services related to network attack detection for enterprise users, and can also provide cloud services related to network attack detection for individual users.

Among them, there may be multiple types of user equipment and information interaction methods corresponding to different users.

For example, the user can be an enterprise user. This user corresponds to an enterprise network. The specific functions and device topology of the enterprise network are not limited here. For example, the enterprise network may include network devices, terminals, servers, etc. The collection device can be an external device of the user network. The collection device connects with one or more devices associated with the enterprise network (such as network devices in the enterprise network) through designated communication methods to obtain the user's corresponding network data, and then The collection device can send the network data to the cloud device, or the collection device can obtain the content to be detected corresponding to the network data, and then send the content to be detected to the cloud device for network attack detection. As shown in Figure 1a, it is a schematic diagram of an exemplary system framework according to an embodiment of the present application. Among them, the collection device 102 obtains network data from the enterprise network 103. The cloud device 101 can interact with the collection device 102 to obtain network data or content to be detected corresponding to the network data.

For another example, the user may be an individual user. In this case, the user equipment corresponding to the individual user may include a personal terminal. The personal terminal can be connected to the Internet and generate network data. Then, the personal terminal can send the network data to the cloud device, or the personal terminal can obtain the content to be detected corresponding to the network data and then send the content to be detected. to cloud devices for network attack detection. As shown in Figure 1b, it is a schematic diagram of another exemplary system framework according to the embodiment of the present application. Among them, the personal terminal 112 is connected to the Internet and generates network data. The cloud device 111 can be connected to the personal terminal 112 to obtain network data or content to be detected corresponding to the network data from the personal terminal 112 .

In another example, the computer device may be a terminal device. At this time, the terminal device may be a device used by the user, and the terminal device may perform network attack detection on the terminal device itself based on the network data involved in the terminal device.

For example, the terminal device may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver functions, a virtual reality (VR) terminal, an augmented reality (AR) terminal, or an industrial control device. Wireless terminals in industrial control, wireless terminals in self-driving, wireless terminals in remote medical, wireless terminals in smart grid, and transportation safety wireless terminals, wireless terminals in smart cities, wireless terminals in smart homes, wireless terminals in the Internet of Things (IoT), etc.

As shown in Figure 1c, it is a schematic diagram of another exemplary system framework according to the embodiment of the present application. Among them, the computer device 113 can obtain the network data of the computer device itself, and perform network attack detection based on the network data.

Next, the network attack detection method involved in the embodiment of this application is introduced.

A network attack detection method according to the embodiment of the present application includes steps 201-204 in Figure 2.

Step 201: Obtain the content to be detected corresponding to the network data.

In the embodiment of this application, network data refers to data transmitted by user equipment through the network. For example, the network data may include one or more of data transmitted by the user's corresponding network device, data sent or received by the user's corresponding personal terminal, and the server.

In the embodiments of this application, there are many ways to obtain the content to be detected corresponding to the network data, which are not limited here.

In one example, the computer device executing the embodiment of the present application is a cloud device. After the cloud device obtains the network data of the user device, it may obtain the content to be detected based on the obtained network data; or it may be the user device or After the collection device corresponding to the user equipment collects network data, it obtains the content to be detected based on the collected network data and sends the content to be detected to the cloud device. In another example, the computer device that executes the embodiment of the present application is a user device, and the user device may obtain the content to be detected based on the collected network data.

An exemplary way of collecting network data may be: the data stream of a designated port in the user's corresponding network device, terminal device or server is copied and transmitted to the collection device or user device, so as not to affect the user's access to network data. Under normal processing, the user's network data is obtained.

The content to be detected may be part of the information in the network data. For example, it can be information of a specified type in network data, information with a specified identifier, or information about a specified protocol, etc.

In some embodiments, obtaining content to be detected corresponding to network data includes:

Obtain metadata of network data. Metadata includes one or more of request message information, response message information, and Uniform Resource Locator System URL;

According to the metadata, the content to be detected is obtained.

Among them, the metadata of network data refers to the data used to describe network data. The metadata includes one or more of request message information, response message information, and uniform resource locator (URL). The request message information includes a request message header and/or a request message body, and the response message information includes a response message header and/or a response message body.

With the continuous development of network technology, the amount of network data generated by users is usually large, making it difficult to identify network attacks from network data. In the embodiment of the present application, considering that information related to network attacks is usually hidden in the metadata of network data, the content to be detected is obtained from the metadata of network data. Since the amount of metadata is usually small, the content to be detected corresponding to the network data can be obtained more efficiently and quickly from the metadata.

In some embodiments, content to be detected is obtained based on metadata, including:

From the metadata, extract key-value pair data, which is used to indicate the value corresponding to the key;

Obtain the content to be detected based on the value in the key-value pair data.

In the embodiments of this application, information related to network attacks is often included in the assignment information in metadata. Therefore, key-value pair data can be extracted from the metadata, and then assignments that may involve network attacks can be extracted from the key-value pair data. information to obtain the content to be detected.

For example, in one example, the request message body in the metadata of the network data contains the following content:

data=<? php@eval($_POST[admin]);? >

It can be understood that the content of this part is a set of key-value pairs, in which "data" can be identified as the key, and "<?php@eval($_POST[admin]);?>" is the assignment information of "data". That is, as the value in the key-value pair data, at this time, "<?php@eval($_POST[admin]);?>" can be extracted from the above request message body as the content to be detected.

In another example, the URL in the metadata of the network data contains the following content:

http://192.168.2.11/? s=index/\think\template\driver\file/write&cacheFile=robots1.php&content=<? php@eval($_POST[admin]);? >

Among them, it includes the key-value pair data "content=<?php@eval($_POST[admin]);?>", from which the value corresponding to "content" is extracted "<?php@eval($_POST[admin]); ?>" as the content to be detected.

Step 202: Transform at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtain at least one target morpheme corresponding to the content to be detected.

At present, the traditional network attack detection method usually identifies whether the network data contains function names such as "assert" and "eval" to determine whether there is a network attack.

In order to compete with network attack detection methods, hackers often change the code through deformation methods such as obfuscation, bypass, string truncation and reorganization, and/or encoding and encryption, so that the attack code does not contain obvious attack functions.

Based on this, in the embodiments of the present application, at least one morpheme in the content to be detected can be transformed according to the grammatical structure of the content to be detected, so as to restore the content to be detected. Wherein, if the content to be detected is treated as a deformed content, then at least one morpheme in the content to be detected is transformed to obtain the content before processing through the deformation method.

In the embodiment of the present application, for example, based on methods such as syntax tree parsing technology, the content to be detected can be parsed, the grammatical structure of the content to be detected can be determined, the sentence components in the content to be detected and the correlation between the sentence components can be identified, and , the syntax tree obtained by parsing can be used to describe the grammatical structure of the content to be detected, so that at least one morpheme in the content to be detected is transformed according to the grammatical structure of the content to be detected, and at least one target corresponding to the content to be detected is obtained. morpheme.

The content to be detected may involve one or more deformation methods, and when there is more than one deformation method, various deformation methods may be superimposed on the same morpheme. Therefore, in the embodiment of the present application, according to the grammatical structure of the content to be detected, the specific process of transforming at least one morpheme in the content to be detected can also be in various situations, and the specific process can be based on the transformation method involved in the content to be detected in the actual scene. , element type and code structure, etc. to determine. For example, at least one morpheme in the content to be detected may be transformed based on the calling relationship and/or encoding information of variables in the content to be detected.

For example, in one example, the deformations involved in the content to be detected are superimposed on the same morpheme. In this case, a hacker can split the string of "assert" and then split the string of 'ass'.'ert' Transformation via variable calls. Then, in the embodiment of the present application, the method of transforming at least one morpheme in the content to be detected may include: performing a transformation based on the variable calling relationship in the content to be detected, and then reorganizing based on the semantic information. 'ass'.'ert' is reorganized to obtain the target morpheme "assert".

In another example, the content to be detected contains coding information, and the method of transforming at least one morpheme in the content to be detected may also include: decoding at least one morpheme in the content to be detected according to the coding information in the content to be detected. , to revert to what it was before it was processed through encoding. For example, if the keyword base64_decode is recognized in the content to be detected, it can be understood that part of the content to be detected is encrypted through base64 encoding. Therefore, this part of the content can be decoded based on the relevant decoding technology of base64 encoding. This enables the transformation of this part of the content.

It should be noted that in this example, the step of identifying whether the content to be detected contains encoding-related information can be performed before the step of parsing the grammatical structure of the content to be detected. At this time, the encoded information in the content to be detected can be decoded and restored. , and then analyze the grammatical structure; or, after analyzing the grammatical structure of the content to be detected, if the relevant information of the encoding is identified in a certain sentence component of the content to be detected, the corresponding decoding technology can be used to The content in the sentence components is decoded and restored.

In addition, in the embodiment of the present application, the type of the transformed element can be further identified, and the transformed morphemes can be filtered and reorganized to obtain the target element.

In some embodiments, at least one morpheme in the content to be detected is converted according to the grammatical structure of the content to be detected, and at least one target morpheme corresponding to the content to be detected is obtained, including:

According to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is transformed to obtain the first information;

Determine the candidate morpheme from the first information according to the type of the morpheme in the first information;

According to the candidate morpheme, at least one target morpheme is obtained.

For example, at least one morpheme in the content to be detected may be transformed based on the calling relationship and/or encoding information of the variables in the content to be detected.

In the embodiment of the present application, the type of morpheme in the first information can be determined through lexical analysis or other methods. For example, variables and corresponding variable types, parameters and corresponding parameter types, can be identified from the first information. Operators and corresponding operator types, etc.

After obtaining the type of the morpheme in the first information, candidate morphemes may be determined from the first information according to the type of the morpheme in the first information. Wherein, types related to network attacks can be screened out from the first information according to the types of morphemes in the first information. For example, variables and String type parameters can be filtered out from the first information.

After obtaining the candidate morpheme, the candidate morpheme can be used as the target morpheme, or the candidate morpheme can be further processed to obtain the target morpheme. For example, if some candidate morphemes also undergo deformation processing such as string splitting, truncation and reorganization, the candidate morpheme can be reorganized to restore it to the morpheme before the deformation processing, and then the restoration to the morpheme before the deformation processing is used as the target morpheme. For example, for the candidate morpheme 'ass'.'ert', it can be reorganized based on the semantic information to obtain "assert" as the target morpheme.

The following examples will be introduced in detail.

In an example, as shown in Figure 3, for content A to be detected:

"<?php$c='ass'.'ert';

${c}($_POST[4]);

? >"

The content A to be detected can be parsed based on syntax tree parsing technology, and the syntax tree obtained after parsing can be used to describe the grammatical structure of the content A to be detected, and the sentence components in the content A to be detected and the correlation between the sentence components can be identified.

Based on the syntax tree corresponding to the content A to be detected, the calling relationship of the variables in the content A to be detected can be identified, so that the morphemes in the content A to be detected can be transformed.

Specifically, the assignment 'ass'.'ert' corresponding to the variable c is identified in the content A to be detected, and the variable c is called in "${c}($_POST[4])" in the content A to be detected , by assigning and replacing the variable c in the content A to be detected, the transformed content "${'ass'.'ert'}($_POST[4])" is obtained, and the transformed content "${'ass '.'ert'}($_POST[4])" as the first information A.

After obtaining the first information A, the type of the morpheme in the first information can be determined through lexical analysis or other methods. In the example shown in Figure 3, in the first information A, 'ass'.'ert' is a String type, "$_POST" is a variable, and 4 is an integer.

According to the type of morphemes in the first information A, the types related to network attacks are filtered out from the first information A, including String type and variables. Then, 'ass'.'ert', "$_POST". Determining 'ass'.'ert' based on semantic information involves the deformation method of string splitting. Therefore, 'ass'.'ert' can be reorganized to obtain "assert", and "assert" and "assert" can be obtained from the first information A "$_POST" filtered out is used as the target morpheme A.

In another example, as shown in Figure 4, for content B to be detected:

It can be determined that part of the content B to be detected is encrypted through base64 encoding. Therefore, this part of the content can be decoded based on the relevant decoding technology of base64 encoding, thereby realizing transformation of this part of the content.

In this way, based on the syntax structure of the content B to be detected and the decoded information, the first information B corresponding to the content B to be detected can be obtained:

eval($_POST['cmd'])

The type of morpheme in the first information B is determined through lexical analysis or other methods. Among them, in the first information B, "eval" is the function name, "cmd" is a String type parameter, and "$_POST" is a variable, all of which are related to network attacks. Therefore, "eval", "$_POST" and "'cmd'" is used as the target morpheme B.

Step 203: Calculate the first correlation between each target morpheme in at least one target morpheme and the preset corpus.

In the embodiment of this application, the preset corpus is pre-collected network attack predictions. Preset predictions can be stored in the database in advance.

In the embodiment of this application, functions used for network attacks such as "assert" and "eval" and/or other parameters related to network attacks are called key morphemes.

The preset corpus can be obtained based on expert experience and historical network data. For example, the script corresponding to the Trojan can be extracted from the script file of the web backdoor (webshell) to obtain the preset corpus.

The specific content of the preset corpus is not limited here. For example, the preset corpus contained in the database may include corpus containing functions or parameters used for network attacks such as "assert" and "eval", or may include obfuscation, bypass, string truncation and reorganization, variable replacement, The corpus obtained by processing functions or parameters used in network attacks through various deformation methods such as encoding and encryption. In addition, it can also include corpus corresponding to some uncommon network attacks and corpus corresponding to network attacks that do not involve key morphemes.

As shown in Table 1, the database can contain the following content:

Table 1: Default corpus in the database

It can be understood that Table 1 is only some exemplary contents of the preset corpus, rather than specific limitations on the preset corpus.

The number of preset corpus is not limited here.

For example, if the number of preset corpus is multiple, then calculating the first correlation between each target morpheme in at least one target morpheme and the preset corpus can be:

For each preset corpus, a first correlation between each target morpheme in at least one target morpheme and the preset corpus is calculated.

There may be multiple ways of calculating the first correlation between each target morpheme in at least one target morpheme and the preset corpus. For example, the first correlation between the target morpheme and the preset corpus can be calculated through a search algorithm involving correlation calculation; or, the first correlation between the target morpheme and the preset corpus can be calculated through a word embedding model, term frequency-inverse document frequency (TF-IDF) algorithm, etc. An algorithm that compares sentence similarity to calculate the first correlation between the target morpheme and the preset corpus; alternatively, the target can also be calculated through a text classification model such as the bidirectional encoder representations from transformers (BERT) model. The first correlation between the morpheme and the preset corpus can also be calculated through other probability and statistical algorithms to calculate the first correlation between the target morpheme and the preset corpus.

Step 204: Obtain a network attack detection result based on the first correlation corresponding to each target morpheme.

According to the first correlation corresponding to each target morpheme, the correlation of the content to be detected with respect to the preset corpus can be obtained, thereby determining the possibility that the content to be detected contains network attack behavior, that is to say, the probability that the content to be detected contains network attack behavior probability (hereinafter referred to as attack probability), thereby obtaining network attack detection results.

Among them, when the attack probability is higher than the preset probability threshold, it can be considered that the content to be detected contains a network attack, that is to say, it is detected that the user corresponding to the network data has been attacked by the network.

In the embodiment of the present application, after obtaining the content to be detected corresponding to the network data, at least one morpheme in the content to be detected can be transformed according to the grammatical structure of the content to be detected, and at least one target morpheme corresponding to the content to be detected is obtained. In this way, According to the grammatical structure of the content to be detected, the content in the content to be detected that has been processed by obfuscation, bypassing, etc. can be identified and transformed to obtain at least one target morpheme. Then, the first correlation between each target morpheme in at least one target morpheme and the preset corpus can be calculated, and then the network attack detection result can be obtained based on the first correlation corresponding to each target morpheme, thereby making full use of attack corpus, etc. Corpus information is used to detect whether the morphemes obtained after transformation and restoration are related to network attack behaviors, so as to obtain more accurate network attack detection results.

In some embodiments, the method further includes:

Determine the weight corresponding to each target morpheme in at least one target morpheme based on at least one preset keyword;

Based on the first correlation corresponding to each target morpheme, network attack detection results are obtained, including:

According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, the network attack detection result is obtained.

In the embodiment of this application, the preset keywords are pre-collected keywords related to network attacks, such as "assert", "eval" and other function names that clearly reflect the existence of network attack behaviors in network data. Preset keywords can be stored in the database. The number of preset keywords is not limited here. Generally speaking, the number of preset keywords is multiple.

For each target morpheme, the similarity between the target morpheme and each preset keyword can be calculated through a similarity algorithm. For example, the similarity algorithm can be edit distance (edit distance), N-Gram algorithm, etc.

Based on the similarity between the target morpheme and each preset keyword, the weight of the target morpheme can be determined.

For example, in one example, the highest similarity among the similarities between the target morpheme and each preset keyword can be used as the weight of the target morpheme.

In another example, if the similarity between the target morpheme and a certain preset keyword is greater than the preset similarity threshold, it is considered that the target morpheme matches the preset keyword successfully. At this time, the target morpheme can be The weight of is set to a high weight value, for example, 1, or the weight corresponding to the target morpheme can also be determined based on the preset weight corresponding to the matching preset keyword; and if the target morpheme matches all preset If the similarity of the keywords is not greater than the preset similarity threshold, it is considered that the target morpheme does not match all the preset keywords, and the weight of the target morpheme is set to a low weight value, such as 0 or 0.3.

In the embodiment of this application, the preset keywords usually include some key morphemes used in network attacks (such as function names and parameter names used in network attacks, etc.). Therefore, the target morpheme is determined by matching the target morpheme and the preset keywords. The weight can largely reflect the importance of the target morpheme in the code corresponding to the network attack, so that network attack detection can be carried out more accurately based on this weight.

In some embodiments, network attack detection results are obtained based on the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, including:

According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, the second correlation corresponding to the content to be detected is obtained;

According to the ratio of the second correlation and the sum of weights corresponding to the content to be detected, the network attack detection result is obtained.

Wherein, calculating the first correlation between each target morpheme in the at least one target morpheme and the preset corpus may include:

For each preset corpus, a first correlation between each target morpheme in at least one target morpheme and the preset corpus is calculated.

Then, based on the first correlation corresponding to each target morpheme, obtaining the network attack detection results can include:

For each preset corpus, obtain a second correlation between the content to be detected and the preset corpus based on the first correlation between each target morpheme in at least one target morpheme and the preset corpus;

According to the second correlation between the content to be detected and each preset corpus, the network attack detection result is obtained.

In the embodiment of this application, the weight corresponding to the content to be detected refers to the weight of the target morphemes corresponding to the content to be detected, and the sum of the weights corresponding to the content to be detected refers to the sum of the weights of the target morphemes corresponding to the content to be detected.

In this way, uncommon content or content that cannot be identified through key functions can be more accurately detected.

For example, if the weights corresponding to the target morphemes in a certain content to be detected are all low, it can be seen that the target morphemes do not contain key morphemes such as key functions that are easy to identify network attacks. In most cases, at this time, the second correlation corresponding to the content to be detected is usually low, that is to say, in most cases, the possibility that the content to be detected contains a network attack is low.

In other cases, there may be some network attacks that do not contain key morphemes or are uncommon. However, based on expert experience, corpus corresponding to these network attacks that do not contain key morphemes or are uncommon, as well as uncommon ones, can be collected in advance. The corpus corresponding to the attack method is used as the default corpus and stored in the database.

At this time, the first correlation between the target morpheme and the corresponding preset corpus is high. Although the corresponding second correlation is not high due to the low weight, the sum of the weight corresponding to the second correlation and the content to be detected is The ratio of is usually higher, therefore, it can be considered that the probability of occurrence of the corresponding network attack is still high. It can be seen that by obtaining network attack detection results based on the ratio of the second correlation and the sum of weights corresponding to the content to be detected, not only can network attacks that contain key morphemes be accurately detected, but also network attacks that do not contain key morphemes or are uncommon can be accurately detected. Network attacks, thus ensuring the accuracy of network attack detection. In addition, by maintaining the preset corpora in the database and timely updating the corpora corresponding to network attacks that do not contain key morphemes based on expert experience, as well as the corpora corresponding to uncommon attack methods, network attack detection in the embodiments of the present application can be improved. Generalizability of the method.

In some embodiments, the first correlation is determined based on the highest similarity between the corresponding target morpheme and the morpheme in the corresponding preset corpus and the target ratio. The target ratio is used to describe the length of the corresponding preset corpus and the length of the content to be detected. difference.

In the embodiment of the present application, the highest similarity between the corresponding target morpheme and the morpheme in the corresponding preset corpus refers to the highest similarity among the similarities between the corresponding target morpheme and each morpheme in the corresponding preset corpus. The highest similarity can reflect the probability of the target morpheme appearing in the preset corpus. If the highest similarity is high, it means that the target morpheme has a greater probability of appearing in the preset corpus. The target morpheme is similar to This default corpus is more relevant. For example, the similarity between the target morpheme and each morpheme in the corresponding preset corpus can be calculated through similarity algorithms such as edit distance (edit distance) and N-Gram algorithm.

The target ratio is used to describe the difference between the length of the corresponding preset corpus and the length of the content to be detected. For example, the target ratio may be the ratio of the larger value to the smaller value of the length of the preset corpus and the length of the content to be detected, or it may be the smaller of the length of the preset corpus and the length of the content to be detected. The ratio of the value to the larger value. Through this target ratio, the difference between the corresponding preset corpus and the content to be detected can be reflected to a certain extent.

In the embodiment of the present application, both the highest similarity and the target ratio are used as influencing factors of the first correlation, which can avoid the situation that although individual morphemes in the preset corpus are similar to the target morpheme, the overall content of the preset corpus is different from the content to be detected. Large differences lead to detection errors.

The following uses a specific example to illustrate the embodiments of the present application.

In this example, for the content Q to be detected, according to the target morpheme q _i in the content Q to be detected and the preset corpus d, the second correlation Score ( Q,d), specifically, the second correlation Score(Q,d) can be calculated based on the following first formula:

Score(Q,d)=∑W _i ·R(q _i ,d)

Among them, Score(Q,d) is the second correlation between the content Q to be detected and the preset corpus d, _Wi is the weight corresponding to the target morpheme qi, and R(q _i ,d) is the target morpheme qi and the preset corpus d. The first correlation of corpus d.

The first correlation R(q _i ,d) can be calculated based on the following second formula:

in, is the target ratio, where dl is the length of the preset corpus, ql is the length of the content Q to be detected, max(dl,ql) is the larger value of dl and ql, min(dl,ql) is the larger value of dl and ql The smaller value of K1 and b are configurable adjustment factors respectively, and the specific values of K1 and b can be configured in advance based on experience.

It can be understood that when the target ratio is close to 1 or equal to 1, it means that the length of the preset corpus d and the content to be detected Q are relatively close; while the gap between the target ratio and 1 is large, it means that the length of the preset corpus d and the content to be detected Q The difference in length is large. Generally speaking, at this time, the difference between the specific content of the corresponding preset corpus and the content to be detected may also be large.

At this time, in the process of calculating the first correlation R( _qi ,d), not only the correlation between the target morpheme and the preset corpus is taken into consideration, but also the relationship between the overall length of the content to be detected and the overall length of the preset corpus is taken into consideration. Similarity avoids detection errors caused by large differences between the overall content of the preset corpus and the content to be detected, although individual morphemes in the preset corpus are similar to the target morpheme, ensuring the accuracy of network attack detection.

In this example, the second correlation between the content to be detected Q and each preset corpus in the database can be calculated based on the above first and second formulas, so that the content Q to be detected and each preset corpus in the database can be calculated. The second correlation between corpora is used to obtain network attack detection results.

For example, the highest second correlation can be determined from the second correlation between the content Q to be detected and each preset corpus in the database. If the highest second correlation is higher than the specified correlation threshold, then It can be considered that the content to be detected involves network attacks.

Alternatively, the network attack detection result can also be obtained based on the ratio of the second correlation and the sum of weights corresponding to the content to be detected.

Specifically, the probability Prob that the content to be detected involves a network attack can be calculated based on the second correlation Score of the content to be detected Q and based on the following third formula:

Among them, Prob refers to the probability that the content to be detected involves a network attack, that is, the attack probability, Score refers to the second correlation of the content to be detected Q, and ∑W _i refers to the sum of weights corresponding to the content to be detected Q, that is, the content to be detected Q The sum of the weights of the corresponding target morphemes.

According to the ratio of the second correlation and the sum of weights corresponding to the content to be detected, the network attack detection result is obtained, which can not only accurately detect network attacks that contain key morphemes, but also accurately detect network attacks that do not contain key morphemes or are uncommon. , thus ensuring the accuracy of network attack detection. In addition, by maintaining the preset corpora in the database and timely updating the corpora corresponding to network attacks that do not contain key morphemes based on expert experience, as well as the corpora corresponding to uncommon attack methods, network attack detection in the embodiments of the present application can be improved. Generalizability of the method.

In some embodiments, the method further includes:

Output the network attack detection result, which contains code information based on at least one target morpheme.

In the embodiment of the present application, if the content to be detected is regarded as the content obtained after processing the code information through the specified transformation method, then the code information obtained based on at least one target morpheme can be considered as the content before processing through the specified transformation method, or It can be understood as the content that is restored based on the deformation method.

For example, in one example, a certain content to be detected includes the following content:

<? php$ant=base64_decode("YXNzZXJ0");$ant($_POST['ant']);? >

The code information obtained based on at least one target morpheme corresponding to the content to be detected may include the following content:

<? php"assert"($_POST['ant']);? >

At this time, the code information is usually not processed by hackers through various transformation methods such as obfuscation, bypass, string truncation and reorganization, variable replacement, encoding and encryption, etc., and can reflect the actual functions, parameters and/or other unknown functions used to perform network attacks. Transformed information.

In this embodiment of the present application, network attack detection results may be output in one or more of the following two ways:

1. The computer device executing the embodiment of the present application outputs the network attack detection result to other devices.

For example, the other device may be the user device of the user corresponding to the network data. In this case, the computer device may be a cloud device. The cloud device sends network attack detection results to the user device to indicate the network attack detection status of the relevant user, and can be stored and displayed by the user device.

Alternatively, the other device can be a display device external to the computer device. In this case, the network attack detection result can be displayed through the external display device.

2. The computer device executing the embodiment of the present application displays the network attack detection result.

In this example, the computer device may be a terminal device, and the computer device may include a display device, so that the network attack detection result may be displayed through the display device of the computer device.

For example, when displaying the network attack detection result, one of the content to be detected, information indicating whether it is a network attack (for example, conclusion information indicating whether it is a network attack event and/or probability of network attack occurrence), and code information may be displayed. Kind or variety.

For example, in one example, when displaying network attack detection results, the display interface may include the following content:

Content to be tested: <? php$ant=base64_decode("YXNzZXJ0");$ant($_POST['ant']);? >;

Detection results: attack event;

Attack probability: 1.0;

Restore code: <? php"assert"($_POST['ant']);? >.

The detection result may indicate whether it is a conclusion of a network attack event, and the restored code may include code information obtained based on at least one target morpheme.

In this way, through the network attack detection results containing the restored code information, users can understand the actual functions used in network attacks and other code information, helping users and relevant developers understand the specific situation of network attacks, and providing information for subsequent network security maintenance. data support.

As above, the embodiments of the present application have introduced the network attack detection method from multiple aspects. The network attack detection device of the present application will be introduced below with reference to the accompanying drawings.

As shown in Figure 5, this embodiment of the present application provides a network attack detection device 50, which can be applied to the computer equipment in any of the above embodiments.

The device 50 includes:

The acquisition module 501 is used to obtain the content to be detected corresponding to the network data;

The processing module 502 is configured to transform at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtain at least one target morpheme corresponding to the content to be detected;

The calculation module 503 is used to calculate the first correlation between each target morpheme in at least one target morpheme and the preset corpus;

The detection module 504 is used to obtain network attack detection results based on the first correlation corresponding to each target morpheme.

Optionally, the acquisition module 501 is used for:

Obtain metadata of network data. Metadata includes one or more of request message information, response message information, and Uniform Resource Locator System URL;

According to the metadata, the content to be detected is obtained.

Optionally, the acquisition module 501 is used for:

From the metadata, extract key-value pair data, which is used to indicate the value corresponding to the key;

Obtain the content to be detected based on the value in the key-value pair data.

Optionally, the processing module 502 is used to:

According to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is transformed to obtain the first information;

Determine the candidate morpheme from the first information according to the type of the morpheme in the first information;

According to the candidate morpheme, at least one target morpheme is obtained.

Optionally, the device 50 also includes a weight module 505;

Weight module 505 is used for:

Determine the weight corresponding to each target morpheme in at least one target morpheme based on at least one preset keyword;

The detection module 504 is used for:

According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, the network attack detection result is obtained.

Optionally, the detection module 504 is used to:

According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, the second correlation corresponding to the content to be detected is obtained;

According to the ratio of the second correlation and the sum of weights corresponding to the content to be detected, the network attack detection result is obtained.

Optionally, the first correlation is determined based on the highest similarity between the corresponding target morpheme and the morpheme in the corresponding preset corpus and the target ratio. The target ratio is used to describe the difference between the length of the corresponding preset corpus and the length of the content to be detected. .

Optionally, the device 50 also includes an output module 506;

The output module 506 is configured to output network attack detection results, where the network attack detection results include code information obtained based on at least one target morpheme.

FIG. 6 is a schematic diagram of a possible logical structure of the computer device 60 provided by the embodiment of the present application. The computer device 60 is used to implement the functions of the computer device involved in any of the above embodiments. The computer device 60 includes: a memory 601, a processor 602, a communication interface 603 and a bus 604. Among them, the memory 601, the processor 602, and the communication interface 603 implement communication connections between each other through the bus 604.

The memory 601 may be a read only memory (ROM), a static storage device, a dynamic storage device, or a random access memory (RAM). The memory 601 can store programs. When the program stored in the memory 601 is executed by the processor 602, the processor 602 and the communication interface 603 are used to perform steps 201-204 and so on of the above-mentioned network attack detection method embodiment.

The processor 602 may be a central processing unit (CPU), a microprocessor, an application specific integrated circuit (ASIC), a graphics processing unit (GPU), or a digital signal processor (Digital Signal Processor). signal processing (DSP), off-the-shelf programmable gate array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components or any combination thereof, for executing relevant programs to achieve the above The acquisition module, processing module, calculation module and detection module in the network attack detection device in the embodiment need to perform functions, or perform steps 201-204 of the network attack detection method embodiment of the method embodiment of the present application. The steps of the method disclosed in conjunction with the embodiments of the present application can be directly implemented by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module can be located in random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, registers and other mature storage media in this field. The storage medium is located in the memory 601, and the processor 602 reads the information in the memory 601, and performs steps 201-204 and so on of the above-mentioned network attack detection method embodiment in conjunction with its hardware.

The communication interface 603 uses a transceiver device such as but not limited to a transceiver to implement communication between the computer device 60 and other devices or communication networks.

Bus 604 may implement a path for transferring information between various components of computer device 60 (eg, memory 601, processor 602, and communication interface 603). The bus 604 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The bus can be divided into address bus, data bus, control bus, etc. For ease of presentation, only one thick line is used in Figure 6, but it does not mean that there is only one bus or one type of bus.

In another embodiment of the present application, a computer-readable storage medium is also provided. Computer-executable instructions are stored in the computer-readable storage medium. When the processor of the device executes the computer-executed instructions, the device executes the above-mentioned steps in Figure 6 The steps performed by the processor.

In another embodiment of the present application, a computer program product is also provided. The computer program product includes computer-executable instructions, and the computer-executable instructions are stored in a computer-readable storage medium; when the processor of the device executes the computer-executed instructions When , the device performs the steps performed by the processor in Figure 6 above.

In another embodiment of the present application, a chip system is also provided. The chip system includes a processor, and the processor is configured to implement the steps performed by the processor in FIG. 6 . In a possible design, the chip system may also include a memory, a memory, a device for storing data writing, necessary program instructions and data. The chip system may be composed of chips, or may include chips and other discrete devices.

Those of ordinary skill in the art will appreciate that the units and algorithm steps of each example described in conjunction with the embodiments disclosed herein can be implemented with electronic hardware, or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the technical solution. Professionals and technicians may use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of the embodiments of the present application.

Those skilled in the art can clearly understand that for the convenience and simplicity of description, the specific working processes of the systems, devices and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be described again here.

In the several embodiments provided in the embodiments of this application, it should be understood that the disclosed systems, devices and methods can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the coupling or direct coupling or communication connection between each other shown or discussed may be through some interfaces, and the indirect coupling or communication connection of the devices or units may be in electrical, mechanical or other forms.

A unit described as a separate component may or may not be physically separate. A component shown as a unit may or may not be a physical unit, that is, it may be located in one place, or it may be distributed to multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application can be integrated into one processing unit, or each unit can exist physically alone, or two or more units can be integrated into one unit.

Functions may be stored in a computer-readable storage medium when implemented in the form of software functional units and sold or used as independent products. Based on this understanding, the technical solutions of the embodiments of the present application are essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods of various embodiments of the embodiments of this application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk and other media that can store program code. .

The above are only specific implementation modes of the embodiments of the present application, but the protection scope of the embodiments of the present application is not limited thereto.

Claims (18)

1. A network attack detection method, characterized in that the method includes: Obtain the content to be detected corresponding to the network data; According to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is transformed to obtain at least one target morpheme corresponding to the content to be detected; Calculate the first correlation between each target morpheme in the at least one target morpheme and the preset corpus; According to the first correlation corresponding to each target morpheme, a network attack detection result is obtained. 2. The method according to claim 1, characterized in that said obtaining the content to be detected corresponding to the network data includes: Obtain metadata of the network data, where the metadata includes one or more of request message information, response message information, and unified resource locating system URL; According to the metadata, the content to be detected is obtained. 3. The method according to claim 2, wherein obtaining the content to be detected according to the metadata includes: From the metadata, extract key-value pair data, the key-value pair data is used to indicate the value corresponding to the key; The content to be detected is obtained according to the value in the key-value pair data. 4. The method according to any one of claims 1 to 3, characterized in that, according to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is converted to obtain the content to be detected. At least one target morpheme corresponding to the detection content includes: According to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is transformed to obtain the first information; Determine candidate morphemes from the first information according to the type of the morphemes in the first information; According to the candidate morpheme, the at least one target morpheme is obtained. 5. The method according to any one of claims 1 to 4, characterized in that the method further includes: Determine the weight corresponding to each target morpheme in the at least one target morpheme according to at least one preset keyword; Obtaining network attack detection results based on the first correlation corresponding to each target morpheme includes: According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, a network attack detection result is obtained. 6. The method according to claim 5, wherein obtaining the network attack detection result based on the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme includes: Obtain the second correlation corresponding to the content to be detected according to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme; According to the ratio of the second correlation to the sum of weights corresponding to the content to be detected, a network attack detection result is obtained. 7. The method according to any one of claims 1 to 6, characterized in that the first correlation is determined based on the highest similarity and target ratio between the corresponding target morpheme and the morpheme in the corresponding preset corpus, so The target ratio is used to describe the difference between the length of the corresponding preset corpus and the length of the content to be detected. 8. The method according to any one of claims 1-7, further comprising: The network attack detection result is output, and the network attack detection result includes code information obtained based on the at least one target morpheme. 9. A network attack detection device, characterized in that the device includes: The acquisition module is used to obtain the content to be detected corresponding to the network data; A processing module, configured to transform at least one morpheme in the content to be detected according to the grammatical structure of the content to be detected, and obtain at least one target morpheme corresponding to the content to be detected; A calculation module, configured to calculate the first correlation between each target morpheme in the at least one target morpheme and the preset corpus; A detection module, configured to obtain a network attack detection result based on the first correlation corresponding to each target morpheme. 10. The device according to claim 9, characterized in that the acquisition module is used for: Obtain metadata of the network data, where the metadata includes one or more of request message information, response message information, and unified resource locating system URL; According to the metadata, the content to be detected is obtained. 11. The device according to claim 10, characterized in that the acquisition module is used for: From the metadata, extract key-value pair data, the key-value pair data is used to indicate the value corresponding to the key; The content to be detected is obtained according to the value in the key-value pair data. 12. The device according to any one of claims 9-11, characterized in that the processing module is used for: According to the grammatical structure of the content to be detected, at least one morpheme in the content to be detected is transformed to obtain the first information; Determine candidate morphemes from the first information according to the type of the morphemes in the first information; According to the candidate morpheme, the at least one target morpheme is obtained. 13. The device according to any one of claims 9-12, characterized in that the device further includes a weight module; The weight module is used for: Determine the weight corresponding to each target morpheme in the at least one target morpheme according to at least one preset keyword; The detection module is used for: According to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme, a network attack detection result is obtained. 14. The device according to claim 13, characterized in that the detection module is used for: Obtain the second correlation corresponding to the content to be detected according to the first correlation corresponding to each target morpheme and the weight corresponding to each target morpheme; According to the ratio of the second correlation to the sum of weights corresponding to the content to be detected, a network attack detection result is obtained. 15. The device according to any one of claims 9-14, wherein the first correlation is determined based on the highest similarity and target ratio between the corresponding target morpheme and the morpheme in the corresponding preset corpus, so The target ratio is used to describe the difference between the length of the corresponding preset corpus and the length of the content to be detected. 16. The device according to any one of claims 9-15, characterized in that the device further includes an output module; The output module is configured to output the network attack detection result, where the network attack detection result includes code information obtained based on the at least one target morpheme. 17. A computer device, characterized in that the computer device includes at least one processor, a memory, and instructions stored on the memory and executable by the at least one processor, and the at least one processor executes the instructions. The instructions are used to implement the steps of the method described in any one of claims 1-8. 18. A computer-readable storage medium with a computer program stored thereon, characterized in that when the computer program is executed by a processor, the method of any one of claims 1-8 is implemented.