基于BERT的服务网站Web攻击检测研究  被引量：1

作　　者：范禹辰 刘相坤 朱建生 蒋秋华 李琪 徐东平 FAN Yu-chen;LIU Xiang-kun;ZHU Jian-sheng;JIANG Qiu-hua;LI Qi;XU Dong-ping(Postgraduate Department,China Academy of Railway Sciences,Beijing 100081,China;Institute of Electronic Computing Technology,China Academy of Railway Sciences Corporation Limited,Beijing 100081,China)

机构地区：[1]中国铁道科学研究院研究生部,北京100081 [2]中国铁道科学研究院集团有限公司电子计算技术研究所,北京100081

出　　处：《计算机技术与发展》2022年第8期168-173,共6页Computer Technology and Development

基　　金：中国国家铁路集团有限公司科技研究开发计划课题(N2020S005)。

摘　　要：传统基于规则的web攻击检测方法需要人工设计添加规则,规则较多时消耗的计算资源会增长并降低检测效率,且无法识别未知攻击;近年基于深度学习的web攻击检测相关研究大多仅对http请求的url及参数部分进行检测,会遗漏部分存在于http请求其余字段的恶意攻击。针对上述问题,该文基于BERT提出了两种对http请求进行全量检测的web攻击检测方法,对BERT提出改进,基于其表征输出分别在网络后增加LSTM和Transformer,用于融合特征使BERT支持长文本的输入。两种检测模型均使用服务网站真实数据集作为训练集,使用网站真实数据集的测试集部分验证其检测效果,使用CSIC2010公开数据集作为测试集验证模型的泛化能力。实验结果表明两种模型均可在保证检测效率的前提下有效识别网站真实数据集中的正常流量及异常流量,且使用Transformer的检测模型在两种测试集上表现更好。Traditional rule-based web attack detection methods require manual addition of rules.However,with the increasing number of rules,it will consume more computing resources and reduce the detection efficiency,and unknown type of attacks cannot be identified.In recent years,as most researches on web attack detection based on deep learning only focus on the url and parameters parts of http requests,some malicious attacks that exist in the remaining fields of the http request will be omitted.Referring to the above problems,two web attack detection methods based on BERT for full detection of http requests are proposed,which also proposes improvements to BERT.Based on its pooled output,LSTM and Transformer are added behind the network to integrate features to make BERT support long text input.Both detection models use the real data set of the service website as the training set and use the test set of the real data set of the website to verify the detection effect.Then CSIC2010 public dataset is used as test set to verify the generalization ability of the model.Experimental results show that both models can effectively identify normal traffic and abnormal traffic in the real dataset of the website while ensuring the detection efficiency,and the Transformer-based detection model performs better on the two test sets.

关 键 词：web攻击检测 BERT模型 LSTM模型 Transformer模型 深度学习 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]