Backdoor attack method and apparatus for malicious URL detection system

Abstract

The disclosure provides a backdoor attack method and apparatus for a malicious URL detection system. The backdoor attack method includes: obtaining original URL samples of backdoor URL samples to be generated; determining position information of separator slashes in each URL of the original URL samples, and obtaining a position number result by numbering the position information; determining a backdoor attack mode of the malicious URL detection system based on the position number result, and generating the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode; and constructing a training set based on a preset ratio of the backdoor URL samples, training a neural network model by using the training set, and testing an attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain a real-time attack success rate.

Claims

1. A backdoor attack method for a malicious uniform resource locator (URL) detection system, comprising: obtaining original URL samples of backdoor URL samples to be generated; determining position information of separator slashes in each URL of the original URL samples, and obtaining a position number result by numbering the position information; determining a backdoor attack mode of the malicious URL detection system based on the position number result, and generating the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode; and constructing a training set based on a preset ratio of the backdoor URL samples, training a neural network model by using the training set, and testing an attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain a real-time attack success rate; wherein determining the backdoor attack mode of the malicious URL detection system based on the position number result, and generating the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode, comprise: determining positions of a first number of separator slashes selected from the URLs of the original URL samples and determining a position serial number corresponding to each selected separator slash; determining the backdoor attack mode of the malicious URL detection system based on the position serial numbers and a second number of separator slashes; and generating the backdoor URL samples corresponding to all the original URL samples based on the determined backdoor attack mode; wherein constructing the training set based on the preset ratio of the backdoor URL samples, training the neural network model by using the training set, and testing the attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain the real-time attack success rate, comprise: obtaining word features, character features and statistical features of the URL sample in the training set; constructing the neural network model for processing the character features and the word features, and training the neural network model to obtain a trained neural network model; and constructing a multi-feature representation of the word features, the character features and the statistical features of the URL sample, and obtaining a test result of the real-time attack success rate by inputting the multi-feature representation to the trained neural network model for testing the attack strength of the malicious URL detection system in the backdoor attack mode.

2. The method of claim 1, wherein obtaining the original URL samples of the backdoor URL samples to be generated comprises: obtaining initial URL samples by re-collecting URL samples and labels corresponding to the URL samples; and obtaining the original URL samples of the backdoor URL samples to be generated by filtering the initial URL samples.

3. The method of claim 1, after obtaining the real-time attack success rate, further comprising: updating the backdoor attack mode in real time based on the real-time attack success rate, to enable the real-time attack success rate in the updated backdoor attack mode to reach a preset attack success rate.

4. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, and when the instructions are executed by the at least one processor, the at least one processor is configured to: obtain original URL samples of backdoor URL samples to be generated; determine position information of separator slashes in each URL of the original URL sample, and obtain a position number result by numbering the position information; determine a backdoor attack mode of a malicious URL detection system based on the position number result, and generate the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode; and establish a training set based on a preset ratio of the backdoor URL samples, train a neural network model by using the training set, and test an attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain a real-time attack success rate; wherein the at least one processor is further configured to: determine positions of a first number of separator slashes selected from the URLs of the original URL samples and determine a position serial number corresponding to each selected separator slash; determine the backdoor attack mode of the malicious URL detection system based on the position serial numbers and a second number of separator slashes; and generate the backdoor URL samples corresponding to all the original URL samples based on the determined backdoor attack mode; wherein the at least one processor is further configured to: obtain word features, character features and statistical features of the URL sample in the training set; construct the neural network model for processing the character features and the word features, and train the neural network model to obtain a trained neural network model; and construct a multi-feature representation of the word features, the character features and the statistical features of the URL sample, and obtain a test result of real-time attack success rate by inputting the multi-feature representation to the trained neural network model for testing the attack strength of the malicious URL detection system in the backdoor attack mode.

5. The electronic device of claim 4, wherein the at least one processor is further configured to: obtain initial URL samples by re-collecting URL samples and labels corresponding to the URL samples; and obtain the original URL samples of the backdoor URL samples to be generated by filtering the initial URL samples.

6. The electronic device of claim 4, wherein the at least one processor is further configured to: update the backdoor attack mode in real time based on the real-time attack success rate, to enable the real-time attack success rate in the updated backdoor attack mode to reach a preset attack success rate.

7. A non-transitory computer-readable storage medium, having computer instructions stored thereon, wherein the computer instructions are configured to cause a computer to execute a backdoor attack method for a malicious URL detection system, the backdoor attack method comprises: obtaining original URL samples of backdoor URL samples to be generated; determining position information of separator slashes in each URL of the original URL samples, and obtaining a position number result by numbering the position information; determining a backdoor attack mode of the malicious URL detection system based on the position number result, and generating the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode; and constructing a training set based on a preset ratio of the backdoor URL samples, training a neural network model by using the training set, and testing an attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain a real-time attack success rate; wherein determining the backdoor attack mode of the malicious URL detection system based on the position number result, and generating the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode, comprise: determining positions of a first number of separator slashes selected from the URLs of the original URL samples and determining a position serial number corresponding to each selected separator slash; determining the backdoor attack mode of the malicious URL detection system based on the position serial numbers and a second number of separator slashes; and generating the backdoor URL samples corresponding to all the original URL samples based on the determined backdoor attack mode; wherein constructing the training set based on the preset ratio of the backdoor URL samples, training the neural network model by using the training set, and testing the attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain the real-time attack success rate, comprise: obtaining word features, character features and statistical features of the URL sample in the training set; constructing the neural network model for processing the character features and the word features, and training the neural network model to obtain a trained neural network model; and constructing a multi-feature representation of the word features, the character features and the statistical features of the URL sample, and obtaining a test result of the real-time attack success rate by inputting the multi-feature representation to the trained neural network model for testing the attack strength of the malicious URL detection system in the backdoor attack mode.

8. The non-transitory computer-readable storage medium of claim 7, wherein obtaining the original URL samples of the backdoor URL samples to be generated comprises: obtaining initial URL samples by re-collecting URL samples and labels corresponding to the URL samples; and obtaining the original URL samples of the backdoor URL samples to be generated by filtering the initial URL samples.

9. The non-transitory computer-readable storage medium of claim 7, wherein, after obtaining the real-time attack success rate, the method further comprises: updating the backdoor attack mode in real time based on the real-time attack success rate, to enable the real-time attack success rate in the updated backdoor attack mode to reach a preset attack success rate.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) These and/or other aspects and advantages of embodiments of the disclosure will become apparent and more readily appreciated from the following descriptions made with reference to the accompanying drawings, in which:

(2) FIG. 1 is a flow chart illustrating a backdoor attack method for a malicious URL detection system according to an embodiment of the disclosure;

(3) FIG. 2 is a flow chart illustrating a sub-step of obtaining original URL samples of backdoor URL samples to be generated according to an embodiment of the disclosure;

(4) FIG. 3 is a flow chart illustrating a sub-step of generating the backdoor URL samples corresponding to the original URL samples according to an embodiment of the disclosure;

(5) FIG. 4 is a schematic diagram illustrating a feasible backdoor attack mode according to an embodiment of the disclosure;

(6) FIG. 5 is a flow chart illustrating a sub-step of testing an attack strength of a backdoor attack method according to an embodiment of the disclosure; and

(7) FIG. 6 is a structural diagram illustrating a backdoor attack apparatus for a malicious URL detection system according to an embodiment of the disclosure.

DETAILED DESCRIPTION

(8) It is noted that embodiments of the disclosure and features in the embodiments can be combined with each other without conflict. Description will be made in detail below to the disclosure with reference to the accompanying drawings in combination with the embodiments.

(9) In order to enable those skilled in the art to understand the technical solutions of the disclosure, the technical solutions in embodiments of the disclosure will be described clearly and completely below in combination with the accompanying drawings. Obviously, embodiments described here are only part of embodiments of the disclosure and are not all embodiments of the disclosure. Based on embodiments of the disclosure, other embodiments obtained by those skilled in the art without inventive work are within the protection scope of the disclosure.

(10) Description will be made below to a method and an apparatus for a backdoor attack for a malicious URL detection system proposed by embodiments of the disclosure with reference to the accompany drawings.

(11) FIG. 1 is a flow chart illustrating a backdoor attack method for a malicious URL detection system according to an embodiment of the disclosure.

(12) As illustrated in FIG. 1, the method includes, but not limited to, the following.

(13) At block S1, original URL samples of backdoor URL samples to be generated are obtained.

(14) It may be understood that, the original URL sample is obtained. The original URL sample (represented as U.sub.i) that generates the backdoor URL sample (represented as U.sub.i) is obtained by an attacker.

(15) As an implementation, FIG. 2 is a flow chart illustrating a sub-step of obtaining the original URL samples of the backdoor URL samples to be generated according to an embodiment of the disclosure. As illustrated in FIG. 2, FIG. 2 includes the following.

(16) At block S11, initial URL samples are obtained by re-collecting URL samples and corresponding labels.

(17) At block S12, the original URL samples of the backdoor URL samples to be generated are obtained by filtering the initial URL samples.

(18) In detail, the initial URL samples are obtained by stealing existing data from a model owner or re-collecting the URL samples and the labels corresponding to the URL samples, and the total number of the initial URL samples is represented by K.

(19) In detail, the initial URL samples are filtered. In order to enable a generated backdoor URL sample (also called malicious URL samples) to have a more effective attack effect on a target model, the attacker needs to filter the initial URL samples stolen or collected, such that the filtered initial URL samples have the most similar distribution of data types as the URL samples (also called benign URL samples) of the model owner as much as possible.

(20) At block S2, position information of separator slashes in each URL of the original URL samples is determined, and a position number result is obtained by numbering the position information.

(21) It is understood that, in this action, there is a need to analyze each URL separately to obtain a position of the separator / (slash) in the URL, and to number the positions of the separators / in each URL sequentially. This action may include the following.

(22) In detail, all the original URL samples are analyzed by the attacker, to obtain positions and the number of the separators / in each URL, respectively.

(23) In detail, the separator, i.e., the slash, is numbered to determine an attack mode usable by the attacker. A serial number of the p.sub.i-th separator / in the URL is represented by p.sub.i, and the value of p.sub.i starts from 1.

(24) At block S3, a backdoor attack mode of the malicious URL detection system is determined based on the position number result, and the backdoor URL samples corresponding to the original URL samples are generated by using the backdoor attack mode.

(25) It may be understood that, in this action, there is a need to select a determined attack mode, For all the original URL samples, by considering the positions and the number of uniform usable separators / in all URLs, there is determined a method for generating the backdoor URL sample that is feasible for all original URLs, i.e., the attack mode, such that the attack mode is feasible for all the original URL samples, and then corresponding backdoor URL samples may be generated.

(26) As an implementation, FIG. 3 is a flow chart illustrating a sub-step of generating the backdoor URL samples corresponding to the original URL samples according to an embodiment of the disclosure. As illustrated in FIG. 3, FIG. 3 includes the following.

(27) At block S31, positions of a first number of separator slashes selected from the URLs of the original URL samples are determined, and a position serial number corresponding to each selected separator slash is determined.

(28) At block S32, the backdoor attack mode of the malicious URL detection system is determined based on the position serial numbers and a second number of separator slashes.

(29) At block S33, the backdoor URL samples corresponding to all the original URL samples are generated based on the determined backdoor attack mode.

(30) In detail, an attack mode usable by all the original URL samples is selected.

(31) Positions of m separators selected in all the original URLs are determined. A position serial number corresponding to the i-th separator is represented by p.sub.i, and n.sub.i separators are added after p.sub.i to form a specific attack mode, which is represented by:

(32) $U_{i}^{} = f_{S B D} (U_{i}; < p_{1}, n_{1} >, .Math., < p_{j}, n_{j} >, .Math., < p_{m}, n_{m} >),$ where, U.sub.i represents the i-th original URL sample, U.sub.i represents a backdoor URL sample generated based on the i-th original URL sample, p.sub.j represents a position serial number of the selected j-th separator, represents that n.sub.i separators are added after the separator numbered p.sub.j, .sub.SBD( custom character ) represents a process of generating the backdoor URL sample, and , . . . , forms the specific attack mode. An example of a feasible backdoor attack mode .sub.SBD(U.sub.i, <3,1>) is illustrated in FIG. 4.

(33) Further, the backdoor URL samples (U.sub.i, i[1, K]) corresponding to all the original URL samples (U.sub.i, i[1, K]) are generated based on the selected specific attack mode .sub.SBD(.Math.).

(34) At block S4, a training set is constructed based on a preset ratio of the backdoor URL samples, a neural network model is trained by using the training set, and an attack strength of the malicious URL detection system in the backdoor attack mode is tested by using the trained neural network model to obtain a real-time attack success rate.

(35) It is understood that, in this action, the generated backdoor URL samples in a uniform attack mode are added, in a ratio of 1: (i.e., K.Math. backdoor URL samples), to the training set used by the malicious URL detection system in a training process of a model, such as the neural network model, to test the attack strength of the backdoor attack method in the specific attack mode.

(36) As an implementation, FIG. 5 is a flow chart illustrating a sub-step of testing an attack strength of a backdoor attack method according to an embodiment of the disclosure. As illustrated in FIG. 5, FIG. 5 includes the following.

(37) At block S41, word features, character features and statistical features of the URL sample in the training set are obtained.

(38) At block S42, the neural network model for processing the character features and the word features is constructed, and the neural network model is trained to obtain a trained neural network model.

(39) At block S43, a multi-feature representation of the word features, the character features and the statistical features of the URL sample is constructed, and a test result of the real-time attack success rate is obtained by inputting the multi-feature representation to the trained neural network model for testing the attack strength of the malicious URL detection system in the backdoor attack mode.

(40) In detail, the word features and the character features of the URL sample are obtained. Each character including special characters in the URL sample, and each string split by the special character may be used as a word extraction feature. Each character feature is encoded as a numeric value, represented by:
U.sup.c=[c.sup.(1), . . . , c.sup.(i), . . . , c.sup.(N.sup.c.sup.)]
U.sup.w=[w.sup.(1), . . . , w.sup.(i), . . . , w.sup.(N.sup.w.sup.)]
where, U.sup.c represents a character representation of one URL sample, c.sup.(i) represents a serial number corresponding to the i-th character in the URL, N.sub.c represents the number of character features in an intercepted URL sample, U.sup.w represents a word representation of one URL sample, w.sup.(i) represents a serial number corresponding to the i-th character in the URL sample, and N.sub.w represents the number of word features in the intercepted URL sample.

(41) In detail, the statistical features of the URL sample are obtained. For the statistical features used by the malicious URL detection system, any statistical feature such as the number of English characters, the number of digits and the number of special characters in the URL, and a ratio of the number of special characters to a total length of the URL, may be added together to constitute the statistical features of one URL sample, which is represented by:
U.sup.s=[s.sup.(1), . . . , s.sup.(i), . . . , s.sup.(N.sup.s.sup.)]

(42) where, U.sup.s represents a statistical representation of one URL sample, s.sup.(i) represents a i-th statistical feature selected, and N.sub.s represents the number of statistical features of the intercepted URL sample.

(43) In detail, a network for processing the character features and the word features is constructed. For the character features and the word features of the URL sample, a vector embedding the character and the word is compressed by using a one-dimensional convolutional neural network, which is represented by:

(44) $v_{i}^{(c)} = f_{c o n v} (\overset{.fwdarw.}{k} .Math. {\overset{.fwdarw.}{c}}_{i : i + h - 1} + b)$

(45) where, .sub.conv(.Math.) represents a one-dimensional convolution operation, {right arrow over (k)} represents a convolution kernel of the convolution operation, b represents a bias, {right arrow over (c)} represents an input of the convolution operation, a subscript of {right arrow over (c)} represents an operation range, and v.sub.i.sup.(c) represents an output of the convolution operation. The convolution operation is performed on the character features and the word features of the URL sample respectively to obtain feature representations, which are represented by:
{right arrow over (v)}.sup.(c)=[{circumflex over (v)}.sub.1.sup.(c), . . . , {circumflex over (v)}.sub.m.sup.(c)]
{right arrow over (v)}.sup.(w)=[{circumflex over (v)}.sub.1.sup.(w), . . . , {circumflex over (v)}.sub.m.sup.(w)]

(46) where, {circumflex over (v)}.sup.(c) represents a value obtained by performing one convolution operation and a maximum pooling operation on the character feature, {circumflex over (v)}.sup.(w) represents a value obtained by performing one convolution operation and the maximum pooling operation on the word feature, {right arrow over (v)}.sup.(c) represents a character feature representation of one URL sample subjected to the convolution operation and the maximum pooling operation, and {right arrow over (v)}.sup.(w) represents a word feature representation of one URL sample subjected to the convolution operation and the maximum pooling operation.

(47) In detail, the multi-feature representation of the URL sample is constructed by integrating the character features, the word features, and the statistical features. The character feature representation, the word feature representation, and the statistical feature representation of the URL sample are spliced together to obtain the multi-feature representation of the URL sample, which is represented by:
[{right arrow over (v)}.sup.(c){right arrow over (v)}.sup.(w)U.sup.s],

(48) where, {right arrow over (v)}.sup.(c) represents the obtained word feature representation, {right arrow over (v)}.sup.(w) represents the obtained character feature representation, and U.sup.s represents the obtained statistical representation of the URL.

(49) In detail, the attack strength of the attack mode selected in the above actions is tested. The obtained multi-feature representation of one URL sample is input into a fully connected network to test the attack success rate, i.e., the real-time attack success rate, of the backdoor attack method for the malicious URL detection system based on a diversity of file paths.

(50) Further, with the method according to embodiments of the disclosure, the backdoor attack mode may be updated in real time based on the obtained real-time attack success rate, to enable the real-time attack success rate to reach a preset attack success rate in the updated backdoor attack mode.

(51) In detail, the attack mode is adjusted based on the attack success rate obtained in the above actions to achieve the attack success rate desired by the attacker.

(52) With the backdoor attack method for the malicious URL detection system according to embodiments of the disclosure, an ingenious backdoor attack method is designed by taking advantage of that a browser is insensitivity to the separator, i.e., the slash, in the URL when parsing the URL by the browser, which may evaluate a vulnerability of the malicious URL detection system forwardly. Moreover, the backdoor attack method is flexible and covert enough to draw the attention of the researcher on a security of the malicious URL detection system.

(53) In order to implement the above embodiments, as illustrated in FIG. 6, this embodiment also provides a backdoor attack apparatus 10 for a malicious URL detection system. The apparatus 10 includes: an original sample obtaining module 100, a position information numbering module 200, a backdoor sample generating module 300, an attack mode testing module 400.

(54) The original sample obtaining module 100 is configured to obtain original URL samples of backdoor URL samples to be generated.

(55) The position information numbering module 200 is configured to determine position information of separator slashes in each URL of the original URL sample, and to obtain a position number result by numbering the position information.

(56) The backdoor sample generating module 300 is configured to determine a backdoor attack mode of the malicious URL detection system based on the position number result, and to generate the backdoor URL samples corresponding to the original URL samples by using the backdoor attack mode.

(57) The attack mode testing module 400 is configured to establish a training set based on a preset ratio of the backdoor URL samples, and to train a neural network model by using the training set, and to test an attack strength of the malicious URL detection system in the backdoor attack mode by using the trained neural network model to obtain a real-time attack success rate.

(58) Further, the original sample obtaining module 100 is also configured to: obtain initial URL samples by re-collecting URL samples and corresponding labels; and obtain the original URL samples of the backdoor URL samples to be generated by filtering the initial URL samples.

(59) Further, the backdoor sample generating module 300 is also configured to: select positions of a first number of separator slashes from the URLs of the original URL samples and determine a position serial number corresponding to each selected separator slash; determine the backdoor attack mode of the malicious URL detection system based on the position serial numbers and a second number of separator slashes; and generate the backdoor URL samples corresponding to all the original URL samples based on the determined backdoor attack mode.

(60) Further, the attack mode testing module 400 is also configured to: obtain word features, character features and statistical features of the URL sample in the training set; construct the neural network model for processing the character features and the word features, and train the neural network model to obtain a trained neural network model; and construct a multi-feature representation of the word features, the character features and the statistical features of the URL sample, and obtain a test result of real-time attack success rate by inputting the multi-feature representation to the trained neural network model for testing the attack strength of the malicious URL detection system in the backdoor attack mode.

(61) Further, after the attack mode testing module 400, the apparatus also includes: a mode updating module.

(62) The mode updating module is configured to update the backdoor attack mode in real time based on the real-time attack success rate, to enable the real-time attack success rate in the updated backdoor attack mode to reach a preset attack success rate.

(63) With the backdoor attack apparatus for the malicious URL detection system according to embodiments of the disclosure, the backdoor attack mode is designed by taking advantage of the browser's insensitivity to slash characters in the URL when the browser parses the URL, which may evaluate the vulnerability of the malicious URL detection system forwardly. Moreover, the backdoor attack mode is flexible and covert enough to draw the attention of the researcher on the security of the malicious URL detection system.

(64) In the description of this disclosure, reference to the terms an embodiment, some embodiments, examples, specific examples, or some examples means that the specific feature, structure, material, or characteristic described in combination with the embodiment or example is included in at least one embodiment or example of the disclosure. In this disclosure, schematic representations of the above terms need not be directed to the same embodiments or examples. Moreover, the specific feature, structure, material, or characteristic described may be combined in any one or more of embodiments or examples in a suitable manner. Furthermore, without contradicting each other, those skilled in the art may combine different embodiments or examples described in this disclosure and features of different embodiments or examples.

(65) In addition, the terms first and second are used to descriptive purposes only and are not to be understood as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Therefore, a feature defined with the terms first or second may explicitly or implicitly include at least one such feature. In the description of the disclosure, multiple or plurality means at least two, e.g., two and three, unless otherwise limited specifically.

Backdoor attack method and apparatus for malicious URL detection system

Assignee

Inventors

Cpc classification

Classification Explorer

H04L2463/145

ELECTRICITY

Classification Explorer

H04L63/1483

ELECTRICITY

Classification Explorer

H04L63/1425

ELECTRICITY

International classification

Classification Explorer

H04L9/40

ELECTRICITY

Abstract

Claims

Description