Solution
Application of Artificial intelligence Technologies
Application of Artificial intelligence Technologies
Abnormal Traffic Identification Technology Based on Clustering and Outlier Detection Algorithm
The IDS construction methods based on anomalies can be divided into three major categories, namely, supervised, semi-supervised and unsupervised. Of the three, the first two categories need to have the annotation data as the basis, but it is usually unrealistic to obtain enough annotation data in the actual production environment. Even for semi-supervised methods that only require normal behavioral data, it is still a very difficult task to acquire or construct various normal behavioral instance data that reflect the real scene. In contrast, unsupervised methods do not require any annotation data and are therefore more feasible in practice.
The clustering and abnormal point detection algorithms are used to analyze the unlabeled traffic data, so as to directly detect and identify the abnormal behavior contained therein. Specifically, in the system, we first use the Spark distributed computing processing framework to preprocess and extract the traffic data, and then use the rich clustering and anomaly detection algorithms provided by ELKI for analysis, and finally, with the excellent drawing of the R platform, a visual representation of the detection recognition results could be presented.
Deep learning based PDF file embedded JavaScript detection
There are many types of malicious PDF files, because PDF files can be embedded in other files in any format, such as PE files, Office files, etc., but a large part of them are embedded with malicious JavaScript code, using some PDF reader vulnerabilities, once PDF file is opened, the corresponding code will be automatically executed to bring harm to the target host. The common operations of these embedded malicious code include accessing malicious links, downloading malicious programs such as Trojans, and opening other malicious files embedded in the file.
In-depth analysis of the PDF file and extracting the embedded JavaScript code, and then using deep learning to detect whether it is malicious code, thereby the malicious PDF file embedded in the code could be effectively identified. The structure of the PDF file is parsed and some meta-information (ie, structure tree) is extracted as the input of the deep learning detection classifier to determine whether it is a malicious file. In the study, most malicious PDF file samples are found after parsing to contain structure tags as "/JS" or "/JavaScript", that is, JavaScript code is embedded, and normal file samples are almost absent, which will cause the "/JS" or "/JavaScript" tag to become an important criterion for malicious files, but the JavaScript code itself didn’t be further detected, which may lead to false positives. Therefore, for this problem, the embedded JavaScript code can be deeply analyzed as a detection object, and a multi-level convolutional neural network (CNN) classification model can be used to realize more accurate identification of malicious PDF files embedded in JavaScript code.
PHP WebShell detection based on deep learning
WebShell is a command execution environment existing in the form of web files such as PHP, JSP and ASP. It is also called a network backdoor. Usually, an attacker uses a website vulnerability to transfer a WebShell backdoor file to a web server and mix it with a normal web page file. Then, the web server can be controlled and data can be accessed through browser access.
Using the method of multi-layer convolutional neural network (CNN) framework, the accurate detection effect is realized for WebShell in the form of PHP file.
Deep learning based SQL injection attack detection system
The SQL injection attack is to insert the SQL command into the Web form, or the input domain name, or the query string of the page request, thereby tricking the server to execute malicious SQL commands, and to achieve the attack purposes of stealing data, modifying or even destroying the back-end database.
The deep learning algorithm is used to analyze the query string contained in the URI and POST submission form, and the corresponding classifier is constructed to detect the SQL injection attack. Specifically, two different algorithms were tried, based on the multi-layer convolutional neural network CNN and the recurrent neural network RNN respectively.
Service hotline:
400-810-7766 (24H)
E-mail:
shfw@leadsec.com.cn
Address:
Zhongguancun, 8 dongbeiwang west road, haidian district, BeijingSoftware park 21
