US 12,425,424 B1
URL parameter value anomaly detection method and system for the same
Huaigu Ou, Beijing (CN); Chuanshe Zhang, Beijing (CN); Xiaoqing Wang, Beijing (CN); and Qian Ding, Beijing (CN)
Assigned to IcloudShield Security Technology Co., Ltd., Beijing (CN)
Filed by IcloudShield Security Technology Co., Ltd., Beijing (CN)
Filed on Dec. 23, 2024, as Appl. No. 19/000,479.
Claims priority of application No. 202410080426.6 (CN), filed on Jan. 19, 2024.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) 9 Claims
OG exemplary drawing
 
1. A URL parameter value anomaly detection method, characterized in that, the method comprises:
obtaining a real-time request log, the real-time request log comprises current http request data;
analyzing the real-time request log, to generate one or more parameter values;
classifying categories based on a preset parameter value, classifying each parameter value, to determine a parameter value category of a request URL in the real-time request log;
generating a key according to a domain name, a request URI, and a parameter name in the real-time request log;
retrieving a target dataset corresponding to the key from a pre-stored parameter feature library; wherein a mapping relationship between a plurality of keys and a category and a category confidence level of a dataset generated based on a historical request log is stored in a parameter feature library; and
matching the parameter value category of the request URL in the real-time request log with the category and the category confidence level of the target dataset; and when there is no match, it is determined that a parameter value of the request URL in the real-time request log is anomalous;
a process of generating the mapping relationship between the plurality of keys and the category and the category confidence level of the dataset based on the historical request log comprises: obtaining the historical request log, wherein the historical request log comprises http request data at a historical moment;
performing data preprocessing of the historical request log, to determine a parameter value category of a request URL in the historical request log; wherein the data preprocessing comprises a parameter key-value pair splitting, invalid parameter filtering and parameter value classification;
performing data merge of all preprocessed historical request logs, the data merge comprises: generating a key according to a domain name, a request URI, and a parameter name in each of the preprocessed historical request logs; selecting data with a same key and merging thereof to form the dataset;
determining a category and a category confidence level of the dataset based on consistency of parameter value categories in the dataset, the determining the category and the category confidence level of the dataset, based on the consistency of the parameter value categories in the dataset comprises: determining whether the parameter value categories in the dataset are the same when the parameter value categories in the dataset are different, and comprise neither a pure number category nor a pure English category, or do not only comprise the pure number category and the pure English category, a parameter value category with a largest proportion is selected and determined to be the category of the dataset, and the category confidence level is set to a proportion ratio value of the parameter value category with the largest proportion;
storing the mapping relationship between the key and the category and the category confidence level of the dataset, to generate the parameter feature library.