In the field of network security,Web attack detection is still one of the important means to ensure network security.Nowadays,most of the widely-used web applications are designed as multi-layer structure,which contains many dynamic characteristics.The content of the application is generated dynamically at runtime,which leads to the failure of pure static detection method to deal with dynamic attacks well.In recent years,there has been an attack detection scheme that combines the dynamic characteristics of runtime,such as system log and record replay attack detection methods,but these methods still cannot fully understand the internal state of the application and block the attack in time,which belong to post analysis.To this end,this thesis starts from web request characteristics,application dynamic behavior,and interaction sequence at runtime,which represents the deep-seated behavior of the program more directly and effectively.The model can precisely detect multi-class Web attack in real-time by using deep neural networks and behavior information.Specifically,the main research work is divided into three parts:Firstly,we propose an end-to-end attack detection framework based on Web request characteristics.Through the lossless characterization of the request content by the character-level embedding module,the designed self-encoder can unsupervised learn the normal request features base on seq2seq model.Then the model accurately detects attacks and visualize malicious payload in real-time,which makes the detection results more interpretable and outperforms other comparison models.Secondly,we propose an attack detection framework based on web application runtime dynamic behavior.The normal dynamic behavior and semantics of the program are constructed into a dynamic behavior graph,and the problem of execution path explosion is effectively solved by the path pruning and aggregation optimization algorithm.When detecting the attack behavior,the model can block the attack and give the context information accurately,which realize the fine-grained Web attack detection.Thirdly,we propose a business logic attack detection framework based on request sequence.From the application function level,the model extracts the request sequence in the process of Web services and learns the normal interaction sequence patterns,which transform the problem of business logic attack detection into the time series.The experiment results show that the proposed framework can automatically identify attacks of business logic attack with high accuracy and practicability.From the perspective of detection level,the proposed three detection frameworks are progressive.They can detect attack payload in Web request,then detect the dynamic behavior of the application at runtime,and finally identify the business logic attack according to the interaction sequence of the request,so as to protect the Web application security comprehensively. |