(19)
(11)EP 3 703 329 A1

(12)EUROPEAN PATENT APPLICATION
published in accordance with Art. 153(4) EPC

(43)Date of publication:
02.09.2020 Bulletin 2020/36

(21)Application number: 18871133.7

(22)Date of filing:  24.10.2018
(51)International Patent Classification (IPC): 
H04L 29/06(2006.01)
H04L 12/24(2006.01)
(86)International application number:
PCT/CN2018/111599
(87)International publication number:
WO 2019/080860 (02.05.2019 Gazette  2019/18)
(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR
Designated Extension States:
BA ME
Designated Validation States:
KH MA MD TN

(30)Priority: 26.10.2017 CN 201711013266

(71)Applicant: New H3C Security Technologies Co., Ltd.
Hefei, Anhui 230001 (CN)

(72)Inventors:
  • JIA, Ruoran
    Beijing 100085 (CN)
  • GU, Chengjie
    Beijing 100085 (CN)

(74)Representative: Zimmermann & Partner Patentanwälte mbB 
Postfach 330 920
80069 München
80069 München (DE)

  


(54)WEBPAGE REQUEST IDENTIFICATION


(57) A method and an apparatus for identifying a web page request are provided. The method comprises obtaining a plurality of sample web page requests marked with tags, wherein each tag of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request; determining a structural feature of each sample web page request; obtaining text words of each sample web page request; calculating a weight of each text word of each sample web page request; determining a feature vector of each sample web page request according to the structural feature of each sample web page request and the weight of each text word of each sample web page request; training a web page request identification model according to the feature vector and the tag of each sample web page request, based on a machine learning algorithm; and when a web page request to be identified is obtained, identifying the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not. Applying the example of the present disclosure, the accuracy of the identification of the web page request is improved.




Description

CROSS REFERENCE TO RELATED APPLICATIONS



[0001] The present disclosure claims the priority to a Chinese Patent Application No. 201711013266.X, filed with the China National Intellectual Property Administration on October 26, 2017 and entitled "A METHOD AND APPARATUS FOR IDENTIFYING A WEB PAGE REQUEST", which is incorporated herein by reference in its entirety.

BACKGROUND



[0002] With the development of Internet technology, various network services facilitate people's lives, but also provide attackers with more opportunities for attacks. A malicious web page request is an attack form used by an attacker. The malicious web page request utilizes vulnerabilities of the network services to attack a network server, through questionnaire uploading, cross-site scripting, HTTP (HyperText Transfer Protocol) request spoofing, SQL (Structured Query Language) injection, and the like, so as to achieve the purposes of stealing information, disabling web services, etc.

[0003] In order to improve network security and ensure network service quality, it is required to accurately identify malicious web page requests. At present, an identification of a web page request is mainly implemented by using a hidden Markov model. This implementation specifically includes: obtaining a sample web page request, wherein the sample web page request may be a malicious web page request or a non-malicious web page request; converting text information of the sample web page request into a form of a state; for each state, making a statistics on a probability that a state after this state is a certain state, for example, a probability that a state after "today" state is "weather" state, a probability that a state after "today" state is "meal" state, and the like, so as to determine probability distribution of a state after each state; constructing a state transition model according to the determined probability distribution, that is, a web page request identification model; determining a probability that a web page request to be identified is a non-malicious web page and a probability that a web page request to be identified is a malicious web page request through the web page request identification model; if the probability of the non-malicious web page request is greater than the probability of the malicious web page request, determining that the web page request to be identified is a non-malicious web page request; and if the probability of the non-malicious web page request is not greater than the malicious web page, determining that the web page request to be identified is a malicious web page request.

BRIEF DESCRIPTION OF THE DRAWINGS



[0004] In order to more clearly describe the technical solutions in the present disclosure and in the prior art, drawings that need to be used in examples and the prior art will be briefly described below. Obviously, the drawings provided below are for only some examples of the present disclosure; those skilled in the art can also obtain other drawings based on these drawings without any creative efforts.

FIG. 1 is a schematic flowchart of a method for identifying a web page request provided by an example of the present disclosure;

FIG. 2 is a schematic structural diagram of an apparatus for identifying a web page request provided by an example of the present disclosure;

FIG. 3 is a schematic structural diagram of an electronic device provided by an example of the present disclosure.


DETAILED DESCRIPTION



[0005] The technical solutions in the examples of the present disclosure will be clearly and completely described in combination with the drawings in the examples of the present disclosure. Obviously, the described examples are only some, and not all, of the examples of the present disclosure. All other examples obtained based on the examples of the present disclosure by those skilled in the art without any creative efforts fall into the scope of protection defined by the present disclosure.

[0006] At present, the identification of a web page request is mainly implemented by using a hidden Markov model. However, when the hidden Markov model is used to identify a web page request, only text information of the web page request is considered, which causes the lower accuracy of the identification of the web page request.

[0007] In order to improve the accuracy of the identification of the web page request, an example of the present disclosure provides a method for identifying a web page request. The method for identifying a web page request may be applicable to any electronic device. Referring to FIG. 1, FIG. 1 is a schematic flowchart of a method for identifying a web page request provided by an example of the present application.

[0008] In block 101, a plurality of sample web page requests marked with tags are obtained; wherein each tag of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request. For each sample web page request of the plurality of sample web page requests, the tag of this sample web page request is to indicate whether this sample web page request is a malicious web page request or non-malicious web page request.

[0009] In the technical solution provided by the example of the present disclosure, a web page request is used to access or acquire a network resource. The web page request may include a URL (Uniform Resource Locator) required for accessing or acquiring the network resource. By way of example and not by way of limitation, a web page request may be specifically a URL

[0010] In order to improve the accuracy and reliability of the web page request identification model obtained by training, a large number of sample web page requests marked with tags may be obtained to train the web page request identification model.

[0011] In block 102, a structural feature of each sample web page request is determined.

[0012] A web page request may be composed of information such as parameters, parameter values, illegal parameters and the like. Here, an illegal parameter is a character that is not allowed to be included in the web page request, for example, a Chinese character, a space, or the like.

[0013] In the technical solution provided in the example of the present disclosure, after the sample web page requests are obtained, for each sample web page request obtained, the structural feature of this sample web page request may be determined based on information such as parameters, parameter value, illegal parameter information and the like included in this sample web page request.

[0014] In an example of the present disclosure, the structural feature of the sample web page request may include the number of parameters, the average length of parameter values, the maximum number of bytes of parameter values, the number of illegal parameters and the like. For example, if the number of parameters in a sample web page request W is 10, the average length of parameter values is 6, and the number of illegal parameters is 2, it is determined that the structural feature of the sample web page request may be {10, 6, 2}.

[0015] In block 103, the text information of each sample web page request is segmented to obtain text words of each sample web page request.

[0016] In the example of the present disclosure, the text information of the web page request may include information such as a domain name, a path, a parameter name, and a parameter value. The text information of the web page request is separated by a separator. Here, the separator includes /, ? , =, & or the like. For example, a URL is user name:password@subdomain.domain name.top level domain:port number/ directory/file name.file suffix?parameter=value#mark, wherein subdomain.domain name.top level domain:port number/directory/file name.file suffix is the path of the URL

[0017] In an example of the present disclosure, in segmenting text information of a sample web page request after the sample web page request is obtained, a separator may be used to segment the text information of the sample web page request to obtain text words. In this way, a complete information in a sample web page request is not divided into a plurality of text words. For example, a domain name is not divided into a plurality of text words, and a path is not divided into a plurality of text words, a parameter name is not divided into a plurality of text words, and a parameter value is not divided into a plurality of text words. In this way, the extracted text words can be used to identify web page requests.

[0018] In block 104, a weight of each text word of each sample web page request is calculated.

[0019] In the example of the present disclosure, a weight of a text word may be a system default weight. For example, after a text word is obtained, the default weight of the text word is used as the weight of the text word.

[0020] A weight of a text word may also be the number of occurrences of the text word. That is, the number of occurrences of a text word is used as the weight of the text word. The number of occurrences of a text word is the number of occurrences of the text word in all the text words obtained.

[0021] A weight of a text word may also be determined based on the number of sample web page requests that include the text word.

[0022] In block 105, for each sample web page request, a feature vector of this sample web page request is determined according to the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0023] For each sample web page request, after the structural feature of this sample web page request and the weight of each text word of this sample web page request are determined, a feature vector of this sample web page request may be determined based on the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0024] For example, for one sample web page request, the structural feature of the sample web page request is determined as {10, 6, 2}. In addition, 13 text words are obtained from the sample web page request, and the weights of the text words of the sample web page request are respectively determined as 0.2, 0.3, 0.15, 0.7, 0.62, 0.42, 0.32, 0.95, 0.57, 0.88, 0.63, 0.51, 0.16. It can be determined that the feature vector of the sample web page request is {10, 6, 2, 0.2, 0.3, 0.15, 0.7, 0.62, 0.42, 0.32, 0.95, 0.57, 0.88, 0.63, 0.51, 0.16}, or it can be determined that the feature vector of the sample web page request is {0.2, 0.3, 0.15, 0.7, 0.62, 0.42, 0.32, 0.95, 0.57, 0.88, 0.63, 0.51, 0.16, 10, 6, 2}.

[0025] In block 106, a web page request identification model is trained according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm.

[0026] The above machine learning algorithm may be, but not limited to a support vector machine algorithm, a neural network, a logistic regression or the like.

[0027] In an example of the present disclosure, the web page request identification model may be trained according to the feature vector of each sample web page request and the tag of each sample web page request, based on the support vector machine algorithm and a stochastic gradient descent algorithm. In training the web page request identification model, parameters of the web page request identification model may be adjusted by using the stochastic gradient descent algorithm, an error backpropagation algorithm, or the like. Here, the web page request identification model is a support vector machine model. The parameters of the web page request identification model include: a penalty coefficient, a kernel function, a kernel function coefficient, a memory resource required for training, a weighting of each type of features, a maximum number of iterations, or the like.

[0028] The penalty coefficient is a tolerance for errors. The higher the penalty coefficient is, the lower the tolerance for errors is.

[0029] The kernel function may be one of RBF (Radial Basis Function), Linear function, Poly function, and Sigmoid function.

[0030] The weighting of each type of features is divided into a weighting of the structural feature and a weighting of the weights of the text words.

[0031] The support vector machine model is a discriminant model, which can directly perform modeling on conditional probability. The much less number of sample web page requests is required when the web page request identification model is trained by taking the support vector machine model as the web page request identification model, compared with taking the hidden Markov model, which is a generative model needing to consider the joint probability distribution, as the web page request identification model. This effectively improves the training speed of the web page request identification model.

[0032] In an example of the present disclosure, in order to further improve a training speed of the web page request identification model, the parameters of the web page request identification model may be preset according to the experience value before the web page request identification model is trained.

[0033] In the example of the present disclosure, the web page request identification model is trained according to the weights of the text words and the structural feature of the web page request, so that the type of features for training the web page request identification model is increased. After the training of the web page request identification model is finished, a web page request identification model with a higher identification accuracy can be obtained.

[0034] In block 107, when a web page request to be identified is obtained, the web page request to be identified is identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.

[0035] In the example of the present disclosure, when a web page request to be identified is obtained, the structural feature of the web page request to be identified is determined.

[0036] Text information of the web page request to be identified is segmented to obtain text words of the web page request to be identified.

[0037] A weight of each text word of the web page request to be identified is calculated.

[0038] A feature vector of the web page request to be identified is determined according to the structural feature of the web page request to be identified and the weight of each text word.

[0039] The feature vector of the web page request to be identified is input into the web page request identification model, and the web page request identification model determines a first probability and a second probability of the web page request to be identified according to the feature vector of the web page request to be identified. The first probability is a probability that the web page request to be identified is a malicious web page request, and the second probability is a probability that the web page request to be identified is a non-malicious web page request.

[0040] The web page request identification model outputs an identification result according to the first probability and the second probability. For example, if the first probability is greater than the second probability, the identification result output by the web page request identification model is that the web page request to be identified is a malicious web page request. If the first probability is smaller than or equal to the second probability, the identification result output by the web page request identification model is that the web page request to be identified is a non-malicious web page request.

[0041] In the technical solution provided by the example of the present disclosure, in training the web page request identification model according to the weights of the text words and the structural feature of the web page request, the text information of the web page request and the structural feature of the web page request are considered, so that the type of features for training the web page request identification model is increased. In identifying a web page request to be identified, the weights of the text words and the structural feature of the web page request to be identified are also extracted for determining whether the web page request to be identified is a malicious web page request or not. This effectively improves the accuracy of the identification of the web page request.

[0042] In an example, the weight of each text word may be determined in following ways.

[0043] In section 1, IDF (Inverse Document Frequency) and TF (Term Frequency) of each text word of each sample web page request are determined.

[0044] In an example, for each sample web page request, the number M of web page requests in a corpus that have the same path as the path included in this sample web page request is determined, and for each text word of this sample web page request, the number m of web page requests in the corpus that include this text word is determined. For each text word of each sample web page request, the IDF of this text term can be determined according to the following formula:



[0045] The above corpus may be preset. The corpus includes a large number of web page requests, and a large number of text words. In an example of the present disclosure, an index number may be set for each text word in the corpus. The index numbers of all of text words have the same form, and the index number of one text word is different from the index numbers of other text words.

[0046] Text words of a web page request have various forms. Thus, in order to search for a web page request including a text word from the corpus, the corpus is required to be searched in the form of the text word. For example, if a text word 1 is a word in digital form, a web page request including the text word 1 is searched for in digital form. For another example, if a text word 2 is a word in letter form, a web page request including the text word 2 is searched for in letter form. This may cause that the form for searching for a text word needs to be frequently switched, so as to search for a web page request including the text word in the corpus, in a case of obtaining a large number of text words.

[0047] In the example of the present disclosure, according to the index number of the text word, for each sample web page request, the process of searching for a web page request may include: determining an index number of each text word of the sample web page request; for each text word of the sample web page request, searching for a web page request including the index number of this text word in the corpus, and determining the number of web page requests including the index number of this text word, that is, the number m of web page requests including this text word.

[0048] It can be seen that in searching for a web page request according to the index number, that is, in searching for a web page request including the index number of the text word in the corpus, the web page request is searched for in a common form of index number, which simplifies the complexity of searching, and is convenient for determining the number of web page requests including the text word in the corpus, and determining the IDF of each text word.

[0049] The path of a web page request is the information before the last parameter of the web page request. If a plurality of parameters connected by "&" are included before the end of a web page request, the plurality of parameters connected by "&" are referred to as the last parameter of the web page request. For example, URL 1 is : /tiendal/publico/autenticar.jsp?modo=entrar&login=quinn&pwd=incisivo&reme mber=off&B 1=Entrar

[0050] At this time, the last parameter of URL 1 is: modo=entrar&login=quinn&pwd=incisivo&remember=off&B1=Entrar, and the path of URL 1 is /tiendal/publico/autenticar.jsp.

[0051] For web page requests, there is no relationship between parameters belonging to different paths. For example, URL 11 is path 1? parameter = value, URL 12 is path 2? parameter=value, and URL 13 is path 1? parameter=value. The path of URL 11 is path 1, and the path of URL 12 is path 2. It can be determined that the path of URL 11 is different from that of URL 12, and thus there is no relationship between parameters of URL 11 and parameters of URL 12. The path of URL 11 and the path of URL 13 are path 1, and thus there is a relationship between parameters of URL 11 and parameters of URL 13.

[0052] In determining the IDF of a text word, only a web page request with the same path is considered, which reduces the influence of a web page request with a different path on the IDF, and improves the accuracy of extracting the feature of a web page request.

[0053] In an example, for each text word of each sample web page request, the TF of this text word may be determined based on the number of occurrences of this text word in text words of this sample web page request. For example, for each text word of each sample web page request, the TF of this text word can be determined according to the following formula:

wherein n is the number of occurrences of this text word in the text words of this sample web page request.

[0054] In section 2, for each text word, the weight of this text word is determined based on the IDF and TF of this text word.

[0055] In an example of the present disclosure, after an IDF and a TF of a text word is calculated, a weight δ of the text word may be determined according to the following formula:



[0056] For example, the obtained sample web page request is URL 1, and URL 1 is: /tiendal/publico/autenticar.jsp?modo=entrar&login=quinn&pwd=incisivo&reme mber=off&B1=Entrar,
wherein, the path of URL 1 is /tiendal/publico/autenticar.jsp.

[0057] The tag of URL 1 includes a tag indicating that the web page request is a non-malicious web page request.

[0058] The separators in URL 1 include /, ? , =, &. 13 text words may be obtained by segmenting URL 1 according to these separators: (tiendal, publico, autenticar.jsp, modo, entrar, login, quinn, pwd, incisivo, remember, off, B1, Entrar).

[0059] Then, each of the above text words is searched for in the corpus. If one text word is in the corpus, the index number of the text word in the corpus is recorded. If one text word is not in the corpus, the index number of this text word is not recorded.

[0060] For the index number of each text word, the number m of URLs including the index number in the corpus is determined, and the number M of URLs in the corpus with the same path as the path of URL 1 is determined, that is, the number M of URLs with the path /tiendal/publico/autenticar.jsp is determined, and thus the IDF of the text word of URL 1 is determined as log (M/m). If each of the above 13 text words occurs once, it is determined that the TF of each text word is 1. At this time, it can be determined that the weight δ of each text word of URL 1 is 1log (M/m).

[0061] In an example, the web page request identification model is trained according to the obtained feature vector of each sample web page request and the obtained tag of each sample web page request. Taking a non-malicious sample web page request as an example, the process of training the web page request identification model may include: inputting the feature vector of the sample web page request into the web page request identification model, and determining a third probability and a fourth probability of the sample web page request, wherein the third probability is a probability that the sample web page request is a malicious web page request, and the fourth probability is a probability that the sample web page request is a non-malicious web page request. If the third probability is greater than the fourth probability, parameters of the web page request identification model are adjusted so that the third probability is less than or equal to the fourth probability, or the third probability is still greater than the fourth probability, but the difference between the third probability and the fourth probability is smaller. If the third probability is less than or equal to the fourth probability, and the difference between the third probability and the fourth probability is less than a difference threshold, the parameters of the web page request identification model are adjusted so that the difference between the third probability and the fourth probability is greater than the difference threshold.

[0062] In an example, the web page request identification model is trained according to the obtained feature vector of each sample web page request and the obtained tag of each sample web page request. For example, a plurality of sample web page requests are input into the web page request identification model, respectively; the third probability and the fourth probability of each sample web page request are obtained; and the identification result of each sample web page request is output according to the third probability and the fourth probability of each sample web page request. The identification result may be that the sample web page request is a malicious web page request, or may be that the sample web page request is a non-malicious web page request.

[0063] For example, if the third probability of a web page request is greater than the fourth probability of the sample web page request, the identification result is that the sample web page request is a malicious web page request. If the third probability of a web page request is less than or equal to the fourth probability of the sample web page request, the identification result is that the sample web page request is a non- malicious web page request.

[0064] After the identification result of each sample web page request is obtained, the loss value for identifying the web page request is determined according to the identification result of each sample web page request and the tag of each sample web page request. It is determined whether the web page request identification model converges based on the loss value. If it does not converge, the parameters of the web page request identification model are adjusted, and a plurality of sample web page requests obtained are re-input into the web page request identification model respectively, so as to train the web page request identification model. If it converges, the training of the web page request identification model is ended.

[0065] In an example, the above loss value may be calculated by using a MSE (Mean Squared Error) formula as a loss function. Specifically, see the MSE formula below:

wherein, L(Θi) is the loss value, H represents the number of sample web page requests in a single training, Ih represents the feature vector of the h-th sample web page request, and F(Ihi) represents the identification result obtained after inputting the feature vector of the h-th sample web page request into the web page request identification model, Xh represents the tag of the h-th sample web page request, and i is the number of times of training. The tag of the sample web page request may be 1 or 0. For example, if the tag of the sample web page request is 1, it is indicated that the sample web page request is a malicious web page request; if the tag of the sample web page request is 0, it is indicated that the sample web page request is a non-malicious web page request.

[0066] Of course, the loss value may be calculated by using other formulas as a loss function, which is not limited by the example of the present disclosure.

[0067] In an example, a loss threshold may be preset, and determining whether the web page request identification model converges based on the loss value may be: determining whether the calculated loss value is less than the loss threshold. If it is less than the loss threshold, it is determined that the web page request identification model converges. If it is not less than the loss threshold, it is determined that the web page request identification model does not converge.

[0068] Corresponding to the above example of the method for identifying a web page request, an example of the present application further provides an apparatus for identifying a web page request. Referring to FIG. 2, FIG. 2 is a schematic structural diagram of an apparatus for identifying a web page request provided by an example of the present application. The apparatus includes an obtaining unit 201, a first determination unit 202, a word segmentation unit 203, a calculation unit 204, a second determination unit 205, a training unit 206 and an identification unit 207.

[0069] The obtaining unit 201 is to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request. For each sample web page request of the plurality of sample web page requests, the tag of this sample web page request is to indicate whether this sample web page request is a malicious web page request or non-malicious web page request.

[0070] The first determination unit 202 is to determine a structural feature of each sample web page request.

[0071] The word segmentation unit 203 is to segment text information of each sample web page request to obtain text words of each sample web page request.

[0072] The calculation unit 204 is to calculate a weight of each text word of each sample web page request.

[0073] The second determination unit 205 is to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0074] The training unit 206 is to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm.

[0075] The identification unit 207 is to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.

[0076] In an example of the present disclosure, the first determination unit 202 may be to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.

[0077] In an example of the present disclosure, the word segmentation unit 203 may be to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.

[0078] In an example of the present disclosure, the calculation unit 204 may be to
for each text word of each sample web page request, determine an IDF of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.

[0079] In an example of the present disclosure, the calculation unit 206 may be to
based on a support vector machine algorithm and a stochastic gradient descent algorithm, train the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.

[0080] In the example of the present disclosure, in training the web page request identification model according to the weights of the text words and the structural feature of the web page request, the text information of the web page request and the structural feature of the web page request are considered, so that the type of features for training the web page request identification model is increased. This can effectively improve the accuracy of the identification of the web page request.

[0081] Corresponding to the examples of the method for identifying a web page request and the apparatus for identifying a web page request, an example of the present application further provides an electronic device, including a processor and a machine readable storage medium. The machine readable storage medium stores machine executable instructions that can be executed by the processor. The processor is caused by the machine executable instructions to implement any portion of the method for identifying a web page request.

[0082] FIG. 3 is a schematic structural diagram of an electronic device provided by an example of the present application, including a processor 301 and a machine readable storage medium 302. The machine readable storage medium 302 stores machine executable instructions that can be executed by the processor 301.

[0083] In the example of the present disclosure, the machine executable instructions include an obtaining instruction 312, a first determination instruction 322, a word segmentation instruction 332, a calculation instruction 342, a second determination instruction 352, a training instruction 362, and an identification instruction 372.

[0084] The processor 301 is caused by the obtaining instruction 312 to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request. For each sample web page request of the plurality of sample web page requests, the tag of this sample web page request is to indicate whether this sample web page request is a malicious web page request or non-malicious web page request.

[0085] The processor 301 is caused by the first determination instruction 322 to determine a structural feature of each sample web page request.

[0086] The processor 301 is caused by the word segmentation instruction 332 to segment text information of each sample web page request to obtain text words of each sample web page request.

[0087] The processor 301 is caused by the calculation instruction 342 to calculate a weight of each text word of each sample web page request.

[0088] The processor 301 is caused by the second determination instruction 352 to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0089] The processor 301 is caused by the training instruction 362 to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm.

[0090] The processor 301 is caused by the identification instruction 372 to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.

[0091] In an example of the present disclosure, the processor 301 may be caused by the first determination unit 322 to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.

[0092] In an example of the present disclosure, the processor 301 may be caused by the word segmentation instruction 332 to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.

[0093] In an example of the present disclosure, the processor 301 may be caused by the calculation instruction 342 to
for each text word of each sample web page request, determine an IDF of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.

[0094] In an example of the present disclosure, the processor 301 may be caused by the training instruction 362 to
based on a support vector machine algorithm and a stochastic gradient descent algorithm, train the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.

[0095] In the example of the present disclosure, in training the web page request identification model according to the weights of the text words and the structural feature of the web page request, the text information of the web page request and the structural feature of the web page request are considered, so that the type of features for training the web page request identification model is increased. This can effectively improve the accuracy of the identification of the web page request.

[0096] In addition, as shown in FIG. 3, the electronic device may further include a communication interface 303 and a communication bus 304; wherein the processor 301, the machine readable storage medium 302, and the communication interface 303 communicate with each other through the communication bus 304, and the communication interface 303 is to communicate between the above electronic device and other devices.

[0097] The communication bus 304 may be a PCI (Peripheral Component Interconnect) bus or an EISA (Extended Industry Standard Architecture) bus, or the like. The communication bus 304 may be divided into an address bus, a data bus, a control bus, or the like. For ease of representation, only one thick line is shown in FIG. 3, but it does not mean that there is only one bus or one type of bus.

[0098] The machine readable storage medium 302 may include a RAM (Random Access Memory), and may also include a NVM (Non-Volatile Memory), such as at least one disk storage. In addition, the machine readable storage medium 302 may also be at least one storage device located remotely from the above processor.

[0099] The processor 301 may be a general processor, including a CPU (Central Processing Unit), an NP (Network Processor), or the like. It may also be a DSP (Digital Signal Processing), an ASIC (Application Specific Integrated Circuit), an FPGA (Field-Programmable Gate Array) or other programmable logic devices, discrete gates or transistor logic devices, discrete hardware components.

[0100] Corresponding to the examples of the method for identifying a web page request and the apparatus for identifying a web page request, an example of the present application further provides a machine readable storage medium storing machine executable instructions that cause the processor to implement any portion of the method for identifying a web page request.

[0101] The machine executable instructions include an obtaining instruction, a first determination instruction, a word segmentation instruction, a calculation instruction, a second determination instruction, a training instruction, and an identification instruction.

[0102] When being called and executed by the processor, the obtaining instruction causes the processor to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request. For each sample web page request of the plurality of sample web page requests, the tag of this sample web page request is to indicate whether this sample web page request is a malicious web page request or non-malicious web page request.

[0103] When being called and executed by the processor, the first determination instruction causes the processor to determine a structural feature of each sample web page request.

[0104] When being called and executed by the processor, the word segmentation instruction causes the processor to segment text information of each sample web page request to obtain text words of each sample web page request.

[0105] When being called and executed by the processor, the calculation instruction causes the processor to calculate a weight of each text word of each sample web page request.

[0106] When being called and executed by the processor, the second determination instruction causes the processor to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0107] When being called and executed by the processor, the training instruction causes the processor to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm.

[0108] When being called and executed by the processor, the identification instruction causes the processor to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.

[0109] In an example of the present disclosure, when being called and executed by the processor, the first determination instruction may cause the processor to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.

[0110] In an example of the present disclosure, when being called and executed by the processor, the word segmentation instruction may cause the processor to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.

[0111] In an example of the present disclosure, when being called and executed by the processor, the calculation instruction may cause the processor to
for each text word of each sample web page request, determine an IDF of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.

[0112] In an example of the present disclosure, when being called and executed by the processor, the training instruction may cause the processor to
based on a support vector machine algorithm and a stochastic gradient descent algorithm, train the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.

[0113] In the example of the present disclosure, in training the web page request identification model according to the weights of the text words and the structural feature of the web page request, the text information of the web page request and the structural feature of the web page request are considered, so that the type of features for training the web page request identification model is increased. This can effectively improve the accuracy of the identification of the web page request.

[0114] Corresponding to the examples of the method for identifying a web page request and the apparatus for identifying a web page request, an example of the present disclosure further provides machine executable instructions, wherein the processor is caused by the machine executable instructions to implement any portion of the method for identifying a web page request.

[0115] In the example of the present disclosure, the machine executable instructions include an obtaining instruction, a first determination instruction, a word segmentation instruction, a calculation instruction, a second determination instruction, a training instruction, and an identification instruction.

[0116] The processor is caused by the obtaining instruction to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request. For each sample web page request of the plurality of sample web page requests, the tag of this sample web page request is to indicate whether this sample web page request is a malicious web page request or non-malicious web page request.

[0117] The processor is caused by the first determination instruction to determine a structural feature of each sample web page request.

[0118] The processor is caused by the word segmentation instruction to segment text information of each sample web page request to obtain text words of each sample web page request.

[0119] The processor is caused by the calculation instruction to calculate a weight of each text word of each sample web page request.

[0120] The processor is caused by the second determination instruction to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request.

[0121] The processor is caused by the training instruction to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm.

[0122] The processor is caused by the identification instruction to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.

[0123] In an example of the present disclosure, the processor may be caused by the first determination instruction to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.

[0124] In an example of the present disclosure, the processor may be caused by the word segmentation instruction to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.

[0125] In an example of the present disclosure, the processor may be caused by the calculation instruction to
for each text word of each sample web page request, determine an IDF of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.

[0126] In an example of the present disclosure, the processor may be caused by the training instruction to
based on a support vector machine algorithm and a stochastic gradient descent algorithm, train the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.

[0127] In the example of the present disclosure, in training the web page request identification model according to the weights of the text words and the structural feature of the web page request, the text information of the web page request and the structural feature of the web page request are considered, so that the type of features for training the web page request identification model is increased. This can effectively improve the accuracy of the identification of the web page request.

[0128] It should be noted that the relationship terms use here, such as "first," "second," and the like are only used to distinguish one entity or operation from another entity or operation, but do not necessarily require or imply that there is actual relationship or order between these entities or operations. Moreover, the terms "include," "comprise" or any variants thereof are intended to cover a non-exclusive inclusion, such that processes, methods, articles, or devices, including a series of elements, include not only those elements that have been listed, but also other elements that have not specifically been listed or the elements intrinsic to these processes, methods, articles, or devices. Without further limitations, elements limited by the wording "comprise(s) a/an..." and "include(s) a/an..." do not exclude additional identical elements in the processes, methods, articles, or devices, including the listed elements.

[0129] All of the examples in the description are described in a correlated manner, and identical or similar parts in various examples can refer to one another. The description for each example focuses on the differences from other examples. In particular, the examples of the apparatus for identifying a web page request, the electronic device, the machine readable storage medium and the machine executable instructions are described briefly, since they are substantially similar to the example of the method for identifying a web page request. The related contents can refer to the description of the example of the method for identifying a web page request.

[0130] The examples described above are simply preferable examples of the present disclosure, and are not intended to limit the scope of protection of the present disclosure. Any modifications, alternatives, improvements, or the like within the spirit and principle of the present disclosure shall be included within the scope of protection of the present disclosure.


Claims

1. A method for identifying a web page request, comprising:

obtaining a plurality of sample web page requests marked with tags, wherein each tag of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request;

determining a structural feature of each sample web page request;

segmenting text information of each sample web page request to obtain text words of each sample web page request;

calculating a weight of each text word of each sample web page request;

for each sample web page request, determining a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request;

training a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm; and

when a web page request to be identified is obtained, identifying the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.


 
2. The method of claim 1, wherein determining a structural feature of each sample web page request comprises:
determining the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.
 
3. The method of claim 1, wherein segmenting text information of each sample web page request to obtain text words of each sample web page request comprises:
segmenting the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.
 
4. The method of claim 1, wherein calculating a weight of each text word of each sample web page request comprises:

for each text word of each sample web page request, determining an Inverse Document Frequency (IDF) of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and

determining a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.


 
5. The method of claim 1, wherein training a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm comprises:
based on a support vector machine algorithm and a stochastic gradient descent algorithm, training the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.
 
6. An apparatus for identifying a web page request, comprising:

an obtaining unit to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request;

a first determination unit to determine a structural feature of each sample web page request;

a word segmentation unit to segment text information of each sample web page request to obtain text words of each sample web page request;

a calculation unit to calculate a weight of each text word of each sample web page request;

a second determination unit to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request;

a training unit to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm; and

an identification unit to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.


 
7. The apparatus of claim 6, wherein the first determination unit is to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.
 
8. The apparatus of claim 6, wherein the word segmentation unit is to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.
 
9. The apparatus of claim 6, wherein the calculation unit is to
for each text word of each sample web page request, determine an Inverse Document Frequency (IDF) of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.
 
10. An electronic device, comprising a processor and a machine readable storage medium, wherein the machine readable storage medium stores machine executable instructions that can be executed by the processor, and the machine executable instructions comprise a obtaining instruction, a first determining instruction, a sending instruction, a word segmentation instruction, a calculation instruction, a second determination instruction, a training instruction, and an identification instruction, wherein,
the processor is caused by the obtaining instruction to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request;
the processor is caused by the first determination instruction to determine a structural feature of each sample web page request;
the processor is caused by the word segmentation instruction to segment text information of each sample web page request to obtain text words of each sample web page request;
the processor is caused by the calculation instruction to calculate a weight of each text word of each sample web page request;
the processor is caused by the second determination instruction to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request;
the processor is caused by the training instruction to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm;
the processor is caused by the identification instruction to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.
 
11. The electronic device of claim 10, wherein the processor is caused by the first determination instruction to
determine the structural feature of each sample web page request according to the number of parameters, the average length of parameter values, and the number of illegal parameters in this sample web page request.
 
12. The electronic device of claim 10, wherein the processor is caused by the word segmentation instruction to
segment the text information of each sample web page request by using separators of a web page request, to obtain the text words of each sample web page request.
 
13. The electronic device of claim 10, wherein the processor is caused by the calculation instruction to
for each text word of each sample web page request, determine an Inverse Document Frequency (IDF) of this text word according to the following formula:

wherein M is the number of web page requests with the same path as a path of this sample web page request in a corpus, and m is the number of web page requests including this text word in the corpus; and
determine a weight δ of this text word according to the following formula:

wherein TF is the number of occurrences of this text word in text words of this sample web page request.
 
14. The electronic device of claim 10, wherein the processor is caused by the training instruction to
based on a support vector machine algorithm and a stochastic gradient descent algorithm, train the web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request.
 
15. A machine readable storage medium storing machine executable instructions, wherein the machine executable instructions comprise a obtaining instruction, a first determining instruction, a sending instruction, a word segmentation instruction, a calculation instruction, a second determination instruction, a training instruction, and an identification instruction, wherein
when being called and executed by the processor, the obtaining instruction causes the processor to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request;
when being called and executed by the processor, the first determination instruction causes the processor to determine a structural feature of each sample web page request;
when being called and executed by the processor, the word segmentation instruction causes the processor to segment text information of each sample web page request to obtain text words of each sample web page request;
when being called and executed by the processor, the calculation instruction causes the processor to calculate a weight of each text word of each sample web page request;
when being called and executed by the processor, the second determination instruction causes the processor to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request;
when being called and executed by the processor, the training instruction causes the processor to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm;
when being called and executed by the processor, the identification instruction causes the processor to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.
 
16. Machine executable instructions, comprising a obtaining instruction, a first determining instruction, a sending instruction, a word segmentation instruction, a calculation instruction, a second determination instruction, a training instruction, and an identification instruction; wherein
the processor is caused by the obtaining instruction to obtain a plurality of sample web page requests marked with tags, wherein each of the tags is a tag indicating that a web page request is a malicious web page request or a tag indicating that a web page request is a non-malicious web page request;
the processor is caused by the first determination instruction to determine a structural feature of each sample web page request;
the processor is caused by the word segmentation instruction to segment text information of each sample web page request to obtain text words of each sample web page request;
the processor is caused by the calculation instruction to calculate a weight of each text word of each sample web page request;
the processor is caused by the second determination instruction to, for each sample web page request, determine a feature vector of this sample web page request according to the structural feature of this sample web page request and the weight of each text word of this sample web page request;
the processor is caused by the training instruction to train a web page request identification model according to the feature vector of each sample web page request and the tag of each sample web page request, based on a machine learning algorithm;
the processor is caused by the identification instruction to, when a web page request to be identified is obtained, identify the web page request to be identified by using the web page request identification model, to determine whether the web page request to be identified is a malicious web page request or not.
 




Drawing










Search report










Cited references

REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description