WO2024159955A1 - Network attack detection method and apparatus, electronic device and storage medium - Google Patents

Abstract

The present application relates to the technical field of network protection, and provides a network attack detection method and apparatus, an electronic device and a storage medium. The method comprises: acquiring input data, the input data comprising at least one object graph navigation language (OGNL) expression; acquiring result data about whether all OGNL expressions in the input data conform to the grammar specifications of OGNL expressions or not; collecting statistics about injection feature data in the input data; and inputting the result data corresponding to the input data and the injection feature data into a preset network attack detection model, to obtain a detection result about whether the input data comprises OGNL expression injection. The present application provides a detection method for a network attack, namely, OGNL expression injection, the detection accuracy is high, the missing detection rate is low, the protection capability for the OGNL expression injection can be improved, and the detection real-time performance is better.

Description

Network attack detection method, device, electronic device and storage medium

This application claims priority to a Chinese patent application filed with the China Patent Office on January 31, 2023, with application number 202310047999.4 and application name “Network Attack Detection Method, Device, Electronic Device and Storage Medium”, all contents of which are incorporated by reference in this application.

Technical Field

The present application belongs to the field of network protection technology, and in particular, relates to network attack detection methods, devices, electronic devices and storage media.

Background Art

With the rapid development of the Internet, network security issues are becoming increasingly serious. Among them, Object Graph Navigation Language (OGNL) expression injection is a more harmful network attack. Attackers can maliciously access any attribute of Java objects, call Java object methods, and implement type conversion through OGNL expression injection.

However, there is currently no detection method for the network attack of OGNL expression injection. Therefore, it is necessary to provide a detection method for the network attack of OGNL expression injection.

Summary of the invention

The present application provides a network attack detection method, device, electronic device and storage medium, aiming to solve the problem that there is currently no detection method for the network attack of OGNL expression injection.

In a first aspect, the present application provides a network attack detection method, comprising:

Acquire input data; the input data includes: at least one object navigation graph language expression;

Obtain result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression;

Counting the injection characteristic data in the input data;

The result data and the injection feature data corresponding to the input data are input into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection.

In a second aspect, the present application provides a network attack detection device, comprising:

An input data acquisition module, used to acquire input data; the input data includes: at least one object navigation graph language expression;

A result data acquisition module is used to obtain result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression;

A statistical module, used for counting the injection characteristic data in the input data;

The detection module is used to input the result data and the injection feature data corresponding to the input data into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection.

In a third aspect, the present application provides an electronic device, comprising: a processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor implements the above-mentioned network attack detection method when executing the program.

In a fourth aspect, the present application provides a readable storage medium, when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the above-mentioned network attack detection method.

In the embodiment of the present application, the result data of whether each object navigation graph language expression in the input data conforms to the grammatical specification of the object navigation graph language expression is obtained, the injection feature data in the input data is counted, the result data and injection feature data corresponding to the input data are input into the preset network attack detection model, and the detection result of whether the input data includes the injection of the object navigation graph language expression is obtained, that is, providing A detection method for the network attack of OGNL expression injection is proposed. At the same time, the result data corresponding to the input data and the injection feature data, which are multi-dimensional data, are more correlated with the OGNL expression injection. Therefore, the detection accuracy of OGNL expression injection is higher and the missed detection rate is lower, which can improve the protection capability against OGNL expression injection. Moreover, the above detection is performed as long as the input data is obtained, and the detection is more real-time.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following is a brief introduction to the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

FIG1 is a flowchart of a method for detecting network attacks according to an embodiment of the present invention;

FIG2 is a flowchart of another method for detecting network attacks provided by an embodiment of the present application;

FIG3 is a structural diagram of a network attack detection device provided in an embodiment of the present application;

FIG4 is a schematic diagram of a flow chart of a network attack detection method provided in an embodiment of the present application;

FIG5 is a schematic diagram of another flow chart of network attack detection provided by an embodiment of the present application;

FIG6 is a structural diagram of an electronic device provided in an embodiment of the present application.

DETAILED DESCRIPTION

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

FIG1 is a flow chart of the steps of a network attack detection method provided in an embodiment of the present application. Referring to FIG1 , the method may include the following steps.

Step 101, obtaining input data; the input data includes: at least one object navigation graph language expression.

The input data may be flow data, etc., used to obtain application services, etc. The input data includes at least one OGNL (Object Graph Navigation Language) expression. The embodiment of the present application does not specifically limit how many OGNL expressions the input data specifically includes.

OGNL is a powerful expression language used to get and set the properties of Java objects. It aims to provide a higher level of abstraction syntax to navigate Java object graphs. OGNL has three elements: expression, root object, and context. Expression is the core of the entire OGNL. All OGNL operations are performed after the expression is parsed. The expression tells OGNL what to do. Therefore, the expression is actually a string with grammatical meaning. The entire string will specify the type and content of the operation.

Step 102, obtaining result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression.

An OGNL expression is actually a string with grammatical meaning, and an OGNL expression also has corresponding grammatical specifications. Therefore, this step is to determine whether each OGNL expression in the input data conforms to the grammatical specifications of the OGNL expression, or in other words, to determine the grammatical legality of each OGNL expression in the input data. If each OGNL expression in the input data conforms to the grammatical specifications of the OGNL expression, the result data corresponding to the input data conforms to the grammatical specifications. Otherwise, the result data corresponding to the input data does not conform to the grammatical specifications.

Optionally, step 102 may include: when each object navigation graph language expression in the input data generates an abstract syntax tree (AST), determining the result data corresponding to the input data as each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression. In this way, the result data can be simply determined.

Specifically, AST is a top-down tree structure, each layer consists of one or more nodes, and each node has a type attribute to indicate the type of the node. If an OGNL expression can form a legal AST tree in a similar top-down manner, it is grammatically legal or grammatically standardized. Otherwise, it is grammatically illegal or grammatically irregular.

Optionally, step 102 may include: obtaining result data of whether each OGNL expression in the input data conforms to the grammatical specification specified by Backus-Naur Form (BNF) in OGNL. BNF is a formal system used to describe grammar, a typical metalanguage, also known as Backus-Naur form. BNF is used to describe the formal paradigm of a language, using building blocks and building rules to describe the grammar of a language. BNF paradigm is commonly used in programming languages and text file formats. It can not only strictly express grammatical rules, but also describe grammar that is context-independent. It has the characteristics of simple grammar, clear expression, and convenience for grammatical analysis and compilation. The way BNF expresses grammatical rules is: non-terminal symbols are enclosed in angle brackets. The left part of each rule is a non-terminal symbol, and the right part is a symbol string composed of non-terminal symbols and terminal symbols, which are generally separated in the middle by, "::=". Rules with the same left part can share a left part, and the right parts are separated by vertical "|". The result data of whether each OGNL expression in the input data conforms to the grammatical specification specified by BNF in OGNL can be obtained simply and accurately.

Optionally, the aforementioned obtaining of the result data of whether each OGNL expression in the input data conforms to the grammatical specification specified by BNF in OGNL may include: obtaining the result data of whether each OGNL expression in the input data conforms to the grammatical specification specified by BNF in the OGNL expression based on a LALR (Look-Ahead LR) syntax analyzer, and the above result data is easily obtained based on LALR.

More specifically, the input data may be first segmented to obtain lexical units (tokens), and then the LALR analyzer may be used to determine whether the result data conforms to the grammatical specifications specified by BNF in the OGNL expression. Among them, Look-Ahead means looking forward, L represents checking the input from left to right, and R represents reverse construction of the rightmost derivation sequence. The task of LALR analysis is to analyze whether these sequences can be combined into various grammatical phrases, such as programs, statements, function declaration expressions, etc., based on the token sequence. Among them, the segmentation step can be based on a finite state automaton to scan and segment the input stream and convert the input data into tokens. These tokens will serve as the input of the subsequent LALR analyzer. The above functions can be implemented using the flex tool language and the bison tool language. The above two tool languages have good adaptability to the program language and have good tool robustness. At the same time, the flex tool language and the bison tool language cooperate well with each other.

Step 103: Count the injection feature data in the input data.

The injection feature data here refers to the feature data in the input data that is related to the network attack of OGNL expression injection.

Optionally, step 103 may include: at least one of the following sub-steps.

Sub-step S1, counting a first total number of all sensitive functions in the input data and a first proportion of a second total number of all functions in the input data.

The sensitive function may include: a function in OGNL that may cause danger, where the danger may include: sensitive information leakage, data corruption, and execution of any code. If the number of OGNL expression injections is large, the probability of OGNL expression injection as a network attack may be greater. Therefore, using the first proportion as one-dimensional injection feature data can improve the accuracy of OGNL expression injection as a network attack detection.

Specifically, a first total number of all sensitive functions in the input data is obtained by counting, and a second total number of all functions in the input data is obtained by counting, and the first total number is divided by the second total number to obtain the first proportion.

Sub-step S2, counting a second proportion of a third total number of all operators in the input data to a fourth total number of all characters in the input data.

Operators are closely related to the network attack of OGNL expression injection, so using the second proportion as one-dimensional injection feature data can improve the accuracy of OGNL expression injection network attack detection. Specifically, the third total number of operators in the input data is obtained by counting, and the fourth total number of all characters in the input data is obtained by counting, and the third total number is divided by the fourth total number to obtain the second proportion. The operators in the input data include: basic operators and special operators in the input data, that is, all operators in the input data. OGNL expressions support Java operations, and the operators in the input data may include: +, -, *, /, %, in, eq, gt, ., @, #, etc.

Sub-step S3, counting the first total number of all function declarations in each object navigation graph language expression in the input data.

The purpose of function declaration is to inform the compilation system of the function name, function type, and parameter type, number, and order so that the system can check it when calling the function (for example, whether the function name is correct, and whether the type and number of actual parameters and formal parameters are consistent). The number of all function declarations in each object navigation graph language expression is closely related to the OGNL expression injection network attack. Therefore, using the first total number as one-dimensional injection feature data can improve the accuracy of OGNL expression injection network attack detection.

Optionally, obtaining the first total number may include the following steps: counting the third total number of all function declarations in each OGNL expression in the input data, summing all the third total numbers corresponding to the input data to obtain a first sum value, dividing the first sum value by the fifth total number of all object navigation graph language expressions in the input data to obtain the first total number of all function declarations in each OGNL expression in the input data on average, thereby obtaining the first total number simply and accurately.

For example, the input data includes 3 OGNL expressions in total, and the third total number of all function declarations in each OGNL expression is 2, 3, and 4 respectively, then the first sum is: 2+3+4=9, 9/3=3. That is, in the input data, the first total number of all function declarations in each OGNL expression is 3 on average.

Sub-step S4, counting the second total number of all function calls in each object navigation graph language expression in the input data.

There are many function calls in the OGNL expression, and the risk of the network attack of OGNL expression injection in the OGNL expression may also be high. The second total number is used as one-dimensional injection feature data to improve the accuracy of the detection of the network attack of OGNL expression injection.

Optionally, obtaining the second total number may include the following steps: counting the fourth total number of all function calls in each OGNL expression in the input data, summing all the fourth total numbers corresponding to the input data to obtain a second sum value, dividing the second sum value by the fifth total number of all OGNL expressions in the input data to obtain the second total number of all function calls in each OGNL expression in the input data, thereby obtaining the first total number in a simple and accurate manner.

For example, the input data includes 3 OGNL expressions in total, and the fourth total number of all function calls in each OGNL expression is 1, 3, and 5 respectively, then the second sum is: 1+3+5=9, 9/3=3. That is, in the input data, the second total number of all function calls in each OGNL expression is 3 on average.

Optionally, step 103 may include: statistical detection (NeoPI) based on the command execution environment (webshell1), counting the injection feature data in the input data. NeoPI statistical features include: coincidence index, file entropy, longest word, malicious features, and compression ratio. These features are closely related to whether the OGNL expression is malicious in the network detection. Using this method to count the injection feature data can improve the accuracy of network detection.

Optionally, step 103 may include: when the result data corresponding to the input data is all OGNL expressions in the input data, and all of them conform to the syntax specification of the OGNL expression, counting the injection feature data in the input data; when all of the OGNL expressions in the input data conform to the syntax specification of the OGNL expression, the syntax of the input data is legal, and then counting the injection feature data in the input data, which can reduce invalid workload. Specifically, under normal circumstances, if at least one OGNL expression in the input data does not conform to the syntax specification of the OGNL expression, the input data can be basically considered invalid or illegal, and there is no need to count the injection feature data in the input data.

Step 104: input the result data and the injection feature data corresponding to the input data into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection.

The preset network attack detection model is trained in advance. When the result data and injection feature data corresponding to the input data are input into the preset network attack detection model, the detection result of whether the input data includes OGNL expression injection can be output.

Optionally, the preset network attack detection model includes: a linear regression (Logistic Regression, LR) model. The LR model is a model for processing binary classification problems. In the OGNL expression injection attack detection scenario of input data, the dependent variable y is divided into positive and negative classes. The positive class represents the input data injected with the OGNL expression, and the negative class represents the input data without the hazard of OGNL expression injection. Then the dependent variable y∈{0,1}, where 0 represents the negative class and 1 represents the positive class. The functional form of the LR model is the following formula (1).
h _θ =g(θ ^T x) Formula (1)

When h(x)≥0.5, y=1 is predicted, and when h(x)＜0.5, y=0 is predicted. Where x represents the result data and injected feature data corresponding to the input data, θ represents the matrix formed by the weights corresponding to the result data and injected feature data corresponding to the input data, and T represents the transpose of the aforementioned matrix. g(z) represents the sigmoid function, and the formula is the following formula (2).
g(z)＝1/(1+e ^-z ) Formula (2)

So the linear regression model is the following formula (3).

A linear regression model is used to obtain a detection result of whether the input data includes an object navigation graph language expression injection. The method is easy to implement, has a fast calculation speed, and has a relatively accurate detection result.

In the embodiment of the present application, the result data of whether each object navigation graph language expression in the input data conforms to the grammatical specification of the object navigation graph language expression is obtained, the injection feature data in the input data is counted, the result data and injection feature data corresponding to the input data are input into the preset network attack detection model, and the detection result of whether the input data includes the injection of the object navigation graph language expression is obtained, that is, providing A detection method for the network attack of OGNL expression injection is developed. At the same time, the result data corresponding to the input data and the injection feature data, which are multi-dimensional data, are more correlated with OGNL expression injection, so the detection accuracy of OGNL expression injection is higher, the recall rate is also higher, and the missed detection rate is lower, which can improve the protection capability against OGNL expression injection. Moreover, the above detection is performed as long as the input data is obtained, and the detection is more real-time.

FIG2 is a flowchart of the steps of another network attack detection method provided in an embodiment of the present application. Referring to FIG2 , the method may include the following steps.

Step 201, obtaining input data; the input data includes: at least one object navigation graph language expression.

Step 202, obtaining result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression.

Step 203: Count the injection feature data in the input data.

Steps 201 to 203 may correspond to the aforementioned steps 101 to 103 and can achieve the same or similar beneficial effects. To avoid repetition, they will not be described again here.

Step 204: Use the acquired historical input data as first sample data to train the preset network attack detection model.

That is, the preset network attack detection model is obtained by training with historical input data. Optionally, the preset network attack detection model includes: a linear regression model. The aforementioned related records can be referred to here, and the same or similar beneficial effects can be achieved. In order to avoid repetition, it will not be repeated here.

Step 205: input the result data and the injection feature data corresponding to the input data into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection.

Step 205 may correspond to the aforementioned step 104 and can achieve the same or similar beneficial effects. To avoid repetition, it will not be described again here.

Step 206: Use the input data as second sample data to update the preset network attack detection model.

The aforementioned input data is used as the second sample data to update the preset network attack detection model in real time. On the one hand, a rich data source is provided to improve the robustness of the preset network attack detection model. On the other hand, relying on real-time data updates, the real-time update of the preset network attack detection model parameters can also be easily realized, which is convenient for iterative updates.

It should be noted that this method can also be combined with cloud platform big data. Applications on the public network of cloud platform are more vulnerable to the network attack of OGNL expression injection. For example, at present, major enterprises such as banks, insurance companies, and e-commerce retailers have moved to the cloud, and the naked Web (World Wide Web) exposed to power is more vulnerable to the network attack of OGNL expression injection, which leads to security issues such as leakage of personal and corporate confidential data, financial losses, and business interruption, which have a serious impact on various enterprises. This method can also be combined with cloud platform big data. Cloud platform big data can provide more and richer first sample data, making the trained preset network attack detection model more accurate and more robust. In addition, cloud platform big data can provide more and richer second sample data, which can conveniently and quickly realize the update and iteration of the preset network attack detection model parameters.

Figure 3 is a structural diagram of a network attack detection device provided by an embodiment of the present application. The present application also provides a network attack detection device, as shown in Figure 3, the device includes: an input data acquisition module 301, used to acquire input data; the input data includes: at least one object navigation graph language expression;

The result data acquisition module 302 is used to acquire result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression;

A statistics module 303, used for counting the injection characteristic data in the input data;

The detection module 304 is used to input the result data and the injection feature data corresponding to the input data into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection.

Optionally, the statistical module 303 includes at least one of the following sub-modules: a first statistical sub-module, used to count a first total number of all sensitive functions in the input data, which accounts for a first proportion of a second total number of all functions in the input data; a second statistical sub-module, used to count a third total number of all operators in the input data, which accounts for a second proportion of a fourth total number of all characters in the input data; a third statistical sub-module, used to count an average first total number of all function declarations in each object navigation graph language expression in the input data; and a fourth statistical sub-module, used to count an average second total number of all function calls in each object navigation graph language expression in the input data.

Optionally, the statistical module 303 includes: a fifth statistical submodule, which is used to count the injection feature data in the input data based on statistical detection of the command execution environment.

Optionally, the statistical module 303 includes: a sixth statistical sub-module, used to count the injection feature data in the input data when the result data is all the object navigation graph language expressions in the input data and they all comply with the grammatical specifications of the object navigation graph language expressions.

Optionally, the network attack detection device further includes: a training module, configured to use the acquired historical input data as first sample data to train and obtain the preset network attack detection model.

Optionally, the network attack detection device further includes: an updating module, configured to update the preset network attack detection model by using the input data as second sample data.

Optionally, the preset network attack detection model includes: a linear regression model.

Optionally, the result data acquisition module 302 includes: a first result data acquisition sub-module, which is used to determine the result data corresponding to the input data as each object navigation graph language expression in the input data, when each object navigation graph language expression in the input data generates an abstract syntax tree, and each of the object navigation graph language expressions in the input data complies with the grammatical specification of the object navigation graph language expression.

Optionally, the result data acquisition module 302 includes: a second result data acquisition submodule, used to obtain result data on whether each of the object navigation graph language expressions in the input data conforms to the grammatical specifications specified by the Backus-Naur form in the object navigation graph language expression.

Optionally, the second result data acquisition submodule includes: a result data acquisition unit, used to obtain, based on a LALR syntax analyzer, result data on whether each of the object navigation graph language expressions in the input data conforms to the Backus-Naur form in the object navigation graph language expression and the grammatical specifications specified in it.

Optionally, the third statistical submodule includes: a first statistical unit, used to count the third total number of all function declarations in each object navigation graph language expression in the input data; a first summation unit, used to sum all the third total numbers corresponding to the input data to obtain a first sum value; and a first total number acquisition unit, used to divide the first sum value by the fifth total number of all object navigation graph language expressions in the input data to obtain the first total number of all function declarations in each object navigation graph language expression in the input data on average.

Optionally, the fourth statistical submodule includes: a second statistical unit, used to count the fourth total number of all function calls in each object navigation graph language expression in the input data; a second summation unit, used to sum all the fourth total numbers corresponding to the input data to obtain a second sum value; and a second total number acquisition unit, used to divide the second sum value by the fifth total number of all object navigation graph language expressions in the input data to obtain the second total number of all function calls in each object navigation graph language expression in the input data on average.

As for the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple. For relevant details, please refer to the partial description of the method embodiment.

It should be noted that the various information and data obtained in the embodiments of the present application are obtained with the authorization of the information/data holder.

The present application is further explained below with reference to specific embodiments.

Fig. 4 is a schematic diagram of a flow chart of a network attack detection provided by an embodiment of the present application. Fig. 5 is a schematic diagram of another flow chart of a network attack detection provided by an embodiment of the present application. Referring to Fig. 4, an input data set of a network attack of the type of OGNL expression injection in the cloud platform is annotated.

As shown in Figures 4 and 5, the historical input data is scanned and segmented and converted into tokens. The obtained token sequence is input into the LALR parser, and according to the grammatical specifications specified by the BNF paradigm of OGNL, it is determined whether the token sequence flow conforms to the grammatical specifications specified by the BNF paradigm of OGNL, and the result data corresponding to the historical input data is obtained.

As shown in Figures 4 and 5, the injection feature data in the aforementioned historical input data is obtained through NeoPI statistics. More specifically, this step may include: obtaining a first total number of all sensitive functions in the historical input data through NeoPI statistics, a first proportion of a second total number of all functions in the historical input data, obtaining a third total number of all operators in the historical input data through NeoPI statistics, a second proportion of a fourth total number of all characters in the historical input data, obtaining a first total number of all function declarations in each object navigation graph language expression in the historical input data through NeoPI statistics, and obtaining a second total number of all function calls in each object navigation graph language expression in the historical input data through NeoPI statistics.

4 and 5, based on the result data corresponding to the historical input data, the first proportion, the second proportion, the first total number of times, and the second total number of times, a linear regression model is trained to obtain a preset network attack detection model. The upper dotted box or framed portion in FIG4 is mainly the part that trains to obtain the preset network attack detection model.

Referring to Figures 4 and 5, input data is obtained, and then the same operations as the historical input data are performed on the input data until the result data corresponding to the input data, the above-mentioned first proportion, the second proportion, the first total number of times, and the second total number of times are obtained. Then the result data corresponding to the input data, the above-mentioned first proportion, the second proportion, the first total number of times, and the second total number of times are input into the trained preset network attack detection model to obtain the detection result of whether the input data includes OGNL expression injection. Referring to Figure 5, the detection result is reported to the cloud platform. When the number of input data with OGNL expression injection is greater than the preset number of items, a security alarm is issued. It should be noted that the preset number of items can be set according to actual needs, and this application does not make specific limitations on this.

As shown in Figure 4, the result data corresponding to the input data, the first proportion, the second proportion, the first total number, and the second total number are used to update the previously trained preset network attack detection model. The dotted box or the framed portion at the bottom of Figure 4 is mainly the network attack detection, as well as the part of the update iteration of the preset network attack detection model.

Figure 6 is a structural diagram of an electronic device provided in an embodiment of the present application. The present application also provides an electronic device, see Figure 6, including: a processor 901, a memory 902, and a computer program 9021 stored in the memory and executable on the processor, and the processor implements the network attack detection method of the aforementioned embodiment when executing the program.

The present application also provides a readable storage medium. When the instructions in the storage medium are executed by a processor of an electronic device, the electronic device can execute the network attack detection method of the aforementioned embodiment.

The algorithms and displays provided herein are not inherently related to any particular computer, virtual system or other device. Various general purpose systems may also be used together with the teachings based thereon. It is apparent from the above description that the structure required for constructing such systems. In addition, the present application is not directed to any particular programming language either. It should be appreciated that a variety of programming languages may be used to implement the contents of the present application described herein, and the above descriptions made in specific languages are intended to disclose the best implementation of the present application.

In the description provided herein, a large number of specific details are described. However, it is understood that the embodiments of the present application can be practiced without these specific details. In some instances, well-known methods, structures and techniques are not shown in detail so as not to obscure the understanding of this description.

Similarly, it should be understood that in order to streamline the present application and help understand one or more of the various inventive aspects, in the above description of the exemplary embodiments of the present application, the various features of the present application are sometimes grouped together into a single embodiment, figure, or description thereof. However, the disclosed method should not be interpreted as reflecting the following intention: the claimed application requires more features than the features clearly stated in each claim. More specifically, as reflected in the following claims, the inventive aspects are less than all the features of the single embodiment disclosed above. Therefore, the claims following the specific embodiment are hereby expressly incorporated into the specific embodiment, wherein each claim itself serves as a separate embodiment of the present application.

Those skilled in the art will appreciate that the modules in the devices in the embodiments may be adaptively changed and arranged in one or more devices different from the embodiments. The modules or units or components in the embodiments may be combined into one module or unit or component, and in addition they may be divided into a plurality of submodules or subunits or subcomponents. All features disclosed in this specification (including the accompanying claims, abstracts and drawings) and all processes or units of any method or device disclosed in this manner may be combined in any combination, except that at least some of such features and/or processes or units are mutually exclusive. Unless otherwise expressly stated, each feature disclosed in this specification (including the accompanying claims, abstracts and drawings) may be replaced by an alternative feature providing the same, equivalent or similar purpose.

The various component embodiments of the present application can be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. It should be understood by those skilled in the art that a microprocessor or digital signal processor (DSP) can be used in practice to implement some or all functions of some or all components in the sorting device according to the present application. The present application can also be implemented as a device or apparatus program for executing part or all of the methods described herein. Such a program implementing the present application can be stored on a computer-readable medium, or can have the form of one or more signals. Such a signal can be downloaded from an Internet website, or provided on a carrier signal, or provided in any other form.

It should be noted that the above embodiments illustrate the present application rather than limit the present application, and that those skilled in the art may design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference symbol between brackets should not be constructed as a limitation to the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "one" or "an" preceding an element does not exclude the presence of multiple such elements. The present application may be implemented by means of hardware including several different elements and by means of a suitably programmed computer. In a unit claim that lists several devices, several of these devices may be embodied by the same hardware item. The use of the words first, second, and third, etc. does not indicate any order. These words may be interpreted as names.

The user information (including but not limited to the user's device information, user personal information, etc.) and related data involved in this application are all information authorized by the user or by all parties.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working processes of the systems, devices and units described above can refer to the corresponding processes in the aforementioned method embodiments and will not be repeated here.

The above description is only a preferred embodiment of the present application and is not intended to limit the present application. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present application shall be included in the protection of the present application. within the scope of protection.

The above is only a specific implementation of the present application, but the protection scope of the present application is not limited thereto. Any technician familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present application, which should be included in the protection scope of the present application. Therefore, the protection scope of the present application should be based on the protection scope of the claims.

Claims (15)

A network attack detection method, characterized in that the method comprises: Acquire input data; the input data includes: at least one object navigation graph language expression; Obtain result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression; Counting the injection characteristic data in the input data; The result data and the injection feature data corresponding to the input data are input into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection. The network attack detection method according to claim 1 is characterized in that the counting of injection feature data in the input data comprises at least one of the following steps: Counting a first total number of all sensitive functions in the input data and a first proportion of the first total number of all functions in the input data; Counting a second proportion of a third total number of all operators in the input data to a fourth total number of all characters in the input data; Counting the first total number of all function declarations in each object navigation graph language expression in the input data; The second total number of all function calls in each object navigation graph language expression in the input data is counted. The network attack detection method according to claim 1, characterized in that the counting of injection feature data in the input data comprises: Based on the statistical detection of the command execution environment, the injection feature data in the input data is counted. The network attack detection method according to claim 1, characterized in that the counting of injection feature data in the input data comprises: When the result data is all the object navigation graph language expressions in the input data and all conform to the grammatical specification of the object navigation graph language expression, the injection feature data in the input data is counted. The network attack detection method according to any one of claims 1 to 4 is characterized in that before the result data and the injection feature data corresponding to the input data are input into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection, the method further comprises: The acquired historical input data is used as the first sample data to train the preset network attack detection model. The network attack detection method according to claim 5, characterized in that the method further comprises: The input data is used as second sample data to update the preset network attack detection model. The network attack detection method according to claim 5 is characterized in that the preset network attack detection model includes: a linear regression model. The network attack detection method according to any one of claims 1 to 4 is characterized in that the step of obtaining result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression comprises: When an abstract syntax tree is generated for each of the object navigation graph language expressions in the input data, the result data corresponding to the input data is determined as each of the object navigation graph language expressions in the input data, which conforms to the grammatical specification of the object navigation graph language expression. The network attack detection method according to any one of claims 1 to 4 is characterized in that the step of obtaining result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression comprises: The result data of whether each of the object navigation graph language expressions in the input data conforms to the Backus-Naur form in the object navigation graph language expression and the grammatical specification specified is obtained. The network attack detection method according to claim 9 is characterized in that the step of obtaining the result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification specified by the Backus-Naur form in the object navigation graph language expression comprises: Based on the LALR syntax analyzer, the result data of whether each of the object navigation graph language expressions in the input data conforms to the Backus-Naur form in the object navigation graph language expression and the grammatical specification specified is obtained. The network attack detection method according to claim 2, characterized in that the counting of the first total number of all function declarations in each object navigation graph language expression in the input data comprises: Counting the third total number of all function declarations in each of the object navigation graph language expressions in the input data; Sum all the third total times corresponding to the input data to obtain a first sum value; The first sum is divided by the fifth total number of all object navigation graph language expressions in the input data to obtain an average first total number of all function declarations in each object navigation graph language expression in the input data. The network attack detection method according to claim 2, characterized in that the counting of the second total number of all function calls in each object navigation graph language expression in the input data comprises: Counting a fourth total number of all function calls in each of the object navigation graph language expressions in the input data; summing up all the fourth total times corresponding to the input data to obtain a second sum value; The second sum is divided by the fifth total number of all object navigation graph language expressions in the input data to obtain a second total number of all function calls in each object navigation graph language expression in the input data. A network attack detection device, characterized in that it comprises: An input data acquisition module, used to acquire input data; the input data includes: at least one object navigation graph language expression; A result data acquisition module is used to obtain result data of whether each of the object navigation graph language expressions in the input data conforms to the grammatical specification of the object navigation graph language expression; A statistical module, used for counting the injection characteristic data in the input data; The detection module is used to input the result data and the injection feature data corresponding to the input data into a preset network attack detection model to obtain a detection result of whether the input data includes an object navigation graph language expression injection. An electronic device, comprising: A processor, a memory, and a computer program stored in the memory and executable on the processor, wherein the processor implements the network attack detection method according to any one of claims 1 to 12 when executing the program. A readable storage medium, characterized in that when the instructions in the storage medium are executed by a processor of an electronic device, the electronic device is enabled to execute the network attack method described in any one of claims 1 to 12. Hit detection method.