The International JointConference on Artificial Intelligence 2019 (IJCAI 2019) was held in macau, China from August 10 to 16. Four AI research papers of Aliyun stood out among many papers, one of which was included in the main forum and three were included in AIBS Workshop. The paper deeply analyzes the research results and scenarioalized application of AI technology in the field of network security, data security and content security, demonstrating the leadership of Ali Cloud security in the field of intelligent security.
First held in Washington, DC, in 1969, IJCAI has become one of the premier academic conferences in the field of artificial intelligence. The papers successfully included by IJCAI each year are the most cutting-edge research results in the field of AI. This year, the inclusion rate of the main IJCAI forum was only 17.9 percent, lower than last year. Ali Cloud was included in the main forum paper “Locate Then Detect: Web Attack Detection via attention-based Deep Neural Networks for the first time solves the problem of interpretability of results of Deep learning in the field of Web Attack Detection, with unprecedented innovative significance. It proves that Ali Cloud leads the industry in academic research and application of security AI technology.
Locate Then Detect: Web Attack Detection via Attention-based Deep Neural Networks “Tianlong Liu, Yu Qi, Liang Shi, Jianan Yan, The application of deep neural network based on attention mechanism in Web attack detection.
This paper proposes a new two-stage Web attack detection framework called location-then-Detect (LTD). The LTD model combines the idea of Object Detection and attention mechanism, The PLN (Payload Locating Network) and PCN (Payload Classification Network) are creatively proposed. Through the combination of two deep neural networks, It can accurately locate the location of malicious attacks and accurately identify their types. PLN is used to locate the suspicious position of the attack vector, and PCN classifies the identified suspicious vector. Through the extraction ability of the target recognition network, the detection system can pay more attention to the truly harmful attack, so as to avoid the influence of the normal part of the whole request content on the model prediction results.
For the first time, LTD solved the problem of interpretability of results of deep learning in the field of Web attack detection (realized through targeted location of Payload), and in comparison with other traditional methods, LTD also showed better results based on rules, symbolic features and traditional machine learning methods. At present, LTD detection framework has been applied to Ali Cloud Web application firewall products in the form of AI kernel. With the support of AI kernel, it provides real-time intelligent protection for customers on the cloud and ensures the security of users on the cloud.
The other three papers included in AIBS Workshop Paper (Artificial Intelligence for Business Security) focus on the latest research results and applications of AI technology in cloud Security. They are “Multi-strategy Integration Architecture for Local Web Site Detection” and “Insider Threat-Data Exfiltration” Detection using Node2Vec in Instant Message, Webshell Detection with attention-based Opcode Sequence Classification.
Yu Pang, multi-Strategy Integration Architecture for Pornographic Web Site Detection, is a Pornographic risk Detection model based on the Integration of multiple strategies.
With the continuous development of the Internet, prohibited risk content is also increasing, such as violence, pornography, racial discrimination, etc. Therefore, it is necessary to establish a powerful detection model that can identify and shield such risks. This paper proposes a risk detection model for pornographic websites based on multi-strategy fusion. Different from other content-based detection models mainly used in commercial scenarios (such as keyword detection or blacklist detection mechanism), this method integrates text features, structural content features and semantic features to construct a detection model. Experimental results show that this model is superior to other risk detection models in accuracy and F1 score.
Insider Threat-Data exdetection using Node2Vec in Instant Message (Xiaoyu Tang, Jie Chen), i. e. internal Threat Detection: Data leak detection model based on Node2Vec.
Data is the core asset of many companies, including but not limited to the company’s future planning, transaction data, personal information, data, customer data, etc., internal staff led to data leakage is costly and the most difficult to detect, on the one hand, the internal staff itself may have a variety of permissions, access to a large amount of sensitive data; On the other hand, as the data communication between internal and external customers is often carried out by instant messaging, instant messaging may be used by some employees to back up sensitive data or transfer data out of the company. Therefore, it is meaningful and necessary to do data security protection at the instant messaging tool level. Traditionally, some statistical rules and statistical data are used for abnormal user behavior detection on instant messaging tools. This method requires more human experience to extract features, so the recall rate and accuracy rate are not high. After analysis and research, this article found suspicious users transfer files in the instant messaging tool will produce different file network structure and normal users, on this basis, we propose a method to detect abnormal file transfer structure using Node2Vec, able to complete automation for feature extraction, and has better performance on accuracy and recall.
“Webshell Detection with Attention-based Opcode Sequence Classification” (Wei He, Yue Xu, Liang Shi) Namely, Webshell detection based on attention mechanism Opcode sequence.
In recent years, more and more Web applications have migrated to cloud platforms, which may contain serious Webshells or be embedded with Webshells due to bugs. But detecting webshells poses some challenges, because Webshells often don’t have a clear line between malicious and normal files. For example, uploading plug-ins and admin page maintenance functions in WordPress are very similar to malicious Webshells. On the other hand, many Webshells simulate normal scripts to bypass various detection methods. Therefore, a reliable detector should distinguish Webshell from normal Web scripts with a low false positive rate. This paper proposes a method based on opcode sequence detection, and we build a sequence classification model to predict the probability of malicious Webshell. This method does not deal with the obscure parts of the PHP script, but with the actual machine code at execution time. BiLSTM with attention mechanism is used to learn and recognize opcode sequences. Through the evaluation of more than 30,000 samples, experimental results show that our method achieves F1= 98.78% and AUC= 99.97%, surpassing other detection models. Because of its good accuracy and versatility, our method can be used in common Webshell detection, not just PHP Webshell.
Alibaba Cloud currently serves 40% of China’s websites, providing basic security for millions of customers. Ali Cloud successfully defies more than half of the high-traffic DDoS attacks in China every day. The rich practical experience provides favorable conditions for ali Cloud’s academic research. The most cutting-edge research results feed back products and attack and defense practices, and provide customers with more intelligent security products and services to ensure the security of tens of millions of enterprises on the cloud.
Author: Cloud security expert
The original link
This article is the original content of the cloud habitat community, shall not be reproduced without permission.