融合LSTM目录获取的Web漏洞检测方案  被引量:1

A Web Vulnerability Detection Solution Integrating LSTM for DirectoryAcquisition

在线阅读下载全文

作  者:黄长江 冯景瑜[1] 王侃 安宇航 翟天旭 苏恒涛 Huang Changjiang;Feng Jingyu;Wang Kan;An Yuhang;Zhai Tianxu;Su Hengtao(School of Cyberspace Security,Xi'an University of Posts and Telecommunications,Xi'an 710121;Teaching and Research Support Center,Air Force Engineering University,Xi'an 710051)

机构地区:[1]西安邮电大学网络空间安全学院,西安710121 [2]空军工程大学教研保障中心,西安710051

出  处:《信息安全研究》2024年第9期824-832,共9页Journal of Information Security Research

基  金:陕西省重点研发计划项目(2024GX-YBXM-076)。

摘  要:针对当前漏洞检测方案在目录获取能力和漏洞检测范围的不足,提出了融合长短时记忆网络(LSTM)目录获取的Web漏洞检测方案,集成Arjun参数爆破高效获取基础目录路径,提出融合LSTM的目录获取方案,生成模糊目录路径,构造总体目录路径池,穿透隐藏目录,达到在短时间内获取更多有效目录路径数的目的.为解决当前漏洞检测方案难以覆盖非典型Web漏洞这一问题,将已提出的方案实现为一款自动化通用漏洞检测及验证工具,适用于典型及非典型漏洞,赋予其目录获取、漏洞检测及绕过Cookie, IP封锁等功能.实验仿真结果表明,该方案比典型目录爆破工具能够获取更多的有效目录路径,具备出色的目录获取能力,能以高效率、低误报率检测和覆盖更多类型的Web漏洞.Addressing the limitations of current vulnerability detection methods in directory acquisition capabilities and detection coverage,this paper proposes a Web vulnerability detection scheme that integrates LSTM(Long Short-Term Memory)for directory acquisition.The proposed solution incorporates Arjun for efficient parameter brute-forcing technique to obtain basic directory paths and introduces an LSTM-based approach to generate fuzzy directory paths,constructing a comprehensive directory path pool that penetrates hidden directories and quickly acquires a larger number of valid directory paths.To overcome the challenge of detecting atypical Web vulnerabilities,the proposed solution has been implemented as an automated,universal vulnerability detection and verification tool.This tool is suitable for both typical and atypical vulnerabilities and is equipped with capabilities for directory acquisition,vulnerability detection,and bypassing techniques for cookies and IP blocking.Experimental results demonstrate that this solution outperforms typical directory brute-forcing tools by acquiring more valid directory paths,exhibiting excellent directory acquisition capabilities,and effectively detecting and covering a wider range of Web vulnerabilities with high efficiency and a low false positive rate.

关 键 词:WEB安全 漏洞检测 长短时记忆网络 黑盒测试 自动化工具 

分 类 号:TP393.0[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象