Search

CN-121234215-B - SQL injection prediction model training method, system and storage medium

CN121234215BCN 121234215 BCN121234215 BCN 121234215BCN-121234215-B

Abstract

The invention discloses a training method, a system and a storage medium of an SQL injection prediction model, wherein a new SQL injection loss function is constructed, SQL type balance factors, SQL difficult sample focusing parameters and smooth hinge loss are coupled, the first partial derivative and the second partial derivative of the loss function are obtained through calculation, and the first partial derivative and the second partial derivative of the loss function obtained through calculation are substituted into information gain; constructing a decision tree structure, training a decision tree model to obtain optimal SQL injection characteristics and optimal split nodes, and constructing an optimal decision tree structure and a corresponding SQL injection prediction model. The time complexity of model training can be reduced, the over-fitting or under-fitting of the trained model is avoided, and meanwhile, the accuracy of machine learning SQL injection detection is improved.

Inventors

  • YUE DEGUANG
  • KONG JINTAO
  • WANG XIAOYI
  • GU YUHENG
  • LI XIN
  • KAN ZHIGANG

Assignees

  • 苏州工学院

Dates

Publication Date
20260508
Application Date
20251204

Claims (9)

  1. 1. The SQL injection prediction model training method is characterized by comprising the following steps of: S01, constructing an SQL injection prediction model, and constructing an SQL injection loss function in the SQL injection prediction model training : Wherein, the For the SQL-type balance factor, For the SQL difficult sample focus parameter, The probability of the model prediction is represented, In order to smooth out the hinge loss function, Is characterized by SQL load Is used for the type value of (a), Is characterized by SQL load Is a predicted value of (2); S02, calculating to obtain a loss function Is a first partial derivative and a second partial derivative of (c), the calculated loss function The first partial derivative and the second partial derivative of the (a) are substituted into the information gain, and the information gain function is as follows: Defining training sets Divided into any two different subsets And Front and back information gain functions: Wherein, the For training set The left subset that is split out is, For training set The right subset that is split out, , In order to fit the parameter factors, For the L2 regularization parameter, Injecting weights of features for SQL; For training set In a loss function of First order partial derivative of (2) And (3) summing; For data sets In a loss function of Second partial derivative of (2) And (3) summing; Is that In a loss function of First order partial derivative of (2) And (3) summing; Is that In a loss function of Second partial derivative of (2) And (3) summing; Is that In a loss function of First order partial derivative of (2) And (3) summing; Is that In a loss function of Second partial derivative of (2) And (3) summing; And S03, constructing a decision tree structure, training to obtain an optimal SQL injection characteristic and an optimal splitting node, obtaining the optimal decision tree structure and a corresponding SQL injection prediction model, calculating information gains of all possible splitting points when judging whether the candidate nodes need splitting in the training decision tree structure, and judging whether the candidate nodes split or not by combining the layer number of the candidate nodes, the SQL load type value of the SQL sample and the maximum value and the minimum value of the information gains, so as to train the optimal splitting node and the leaf node.
  2. 2. The method according to claim 1, wherein in step S01 The definition is as follows: Prediction for model SQL type balance factor of 1; Representation model prediction A probability of 1 is given to the user, The definition is as follows: 。
  3. 3. the method for training an SQL injection prediction model according to claim 1, wherein a decision tree is constructed The structure of (1) is that , wherein, Representing decision trees Is provided with a set of split nodes, , Represent the first The number of split nodes is chosen to be the same, , Representing split nodes Is characterized by the feature value of the splitting condition, Representing split nodes Is arranged to be the left child node of (c), Representing split nodes Is provided with a right sub-node of (c), Representing split nodes Is used for the number of the sequence number of (c), Representing the number of split nodes; Representing decision trees Is set of leaf nodes of the (c), , Represent the first The number of leaf nodes is chosen to be the number of leaf nodes, , Representing leaf nodes In (3) the SQL sample set, Representing leaf nodes Is used for the weight fraction of (a), Representing leaf nodes Is used for the number of the sequence number of (c), Representing the number of leaf nodes; Representing decision trees Is a set of candidate nodes of (c), , Represent the first The number of candidate nodes is chosen to be, , Representing candidate nodes In (3) the SQL sample set, Representing the parent node sequence number of the candidate node, Representing the left, right or root position of the candidate node, Representing candidate nodes The number of layers of the tree in which it is located, Representing candidate nodes Is used for the number of the sequence number of (c), Representing the number of candidate nodes of the tree; Representing the number of layers of the decision tree.
  4. 4. The method for training an SQL injection prediction model according to claim 3, wherein training in step S03 to obtain the optimal SQL injection feature and the optimal split node comprises: Acquiring SQL injection feature training set , wherein, Representing the injection characteristics of the SQL load, Representing the value of the SQL load type, , Indicating that the SQL is loaded normally, Representing SQL injection loads; Representing a sample number; when the model is initialized, a training set is calculated Duty cycle of normal sample of middle SQL And take it as Initial predicted value of (2) The corresponding probability: Wherein, the Representing training sets Is a collection of all SQL injection samples, Representing training sets A collection of all normal samples of SQL, ; Corresponding initialization model ; Judging candidate node If the splitting is needed, a leaf node is added, otherwise, candidate nodes are used Characteristic value of (a) As a condition for the splitting of the fiber, Representing feature sequence numbers, calculating information gains of all possible split points And gain the information Adding to a collection In the process, the Representation of Information gain sets of all possible splitting points; Training to obtain optimal SQL injection characteristics and optimal splitting points: Wherein, the A characteristic value of the cleavage conditions indicating the optimal cleavage point.
  5. 5. The method of claim 4, wherein adding a leaf node comprises: In the first place Leaf node set of decision tree Newly added leaf node : , , , , , , , , , , , wherein, Representing the set of sequence numbers for all leaf nodes, Representing candidate nodes A sequence number set of the SQL samples, Is that First order partial derivative of (a) The sum of the two values, Is that Second partial derivative of (2) The sum of the two values, Representing candidate nodes In (a) Is the first derivative of (a) And, a step of, in the first embodiment, Representing candidate nodes In (a) Is the second derivative of (2) And, a step of, in the first embodiment, Representing a current candidate node Is the parent node of (a) A kind of electronic device Attribute values.
  6. 6. The method according to claim 4, wherein obtaining the optimal decision tree structure in step S03 comprises: According to Construction Left candidate child node ; In the first place Candidate node set of decision tree Adding 1 new candidate node : , , ; According to Construction Right candidate child node ; At the position of Adding 1 new candidate node : , , , ; According to In the first place Splitting node set of decision tree Newly added 1 split node : , , , , , Wherein, the method comprises the steps of, Representing a set of sequence numbers of the candidate node, Representing a set of sequence numbers of the split nodes, Representing a current candidate node Is the parent node of (a) A kind of electronic device Attribute values; obtaining an optimal decision tree Wherein, the method comprises the steps of, Represent the first A decision tree structure; Represent the first A set of split nodes of a decision tree; Represent the first A set of leaf nodes of the decision tree; Represent the first A candidate node set of the decision tree; Represent the first The number of layers of the decision tree.
  7. 7. The method of claim 6, wherein the corresponding SQL injection prediction model comprises: According to A kind of electronic device Generating a new tree model: , wherein, Represent the first The weight scores of leaf nodes in the tree model, Represent the first The structure of the tree to be input Mapping to a leaf node ; Updating the model: , wherein, Is the learning rate; obtaining a trained model 。
  8. 8. An SQL injection prediction model training system for implementing the SQL injection prediction model training method of any one of claims 1-7, comprising: the SQL injection loss function construction module is used for constructing an SQL injection prediction model, and constructing an SQL injection loss function in the SQL injection prediction model training : Wherein, the For the SQL-type balance factor, For the SQL difficult sample focus parameter, The probability of the model prediction is represented, In order to smooth out the hinge loss function, Is characterized by SQL load Is used for the type value of (a), Is characterized by SQL load Is a predicted value of (2); information gain construction module for calculating loss function Is a first partial derivative and a second partial derivative of (c), the calculated loss function The first partial derivative and the second partial derivative of (2) are substituted into the information gain; And the model training module is used for constructing a decision tree structure, training to obtain optimal SQL injection characteristics and optimal split nodes, and obtaining the optimal decision tree structure and a corresponding SQL injection prediction model.
  9. 9. A computer storage medium having stored thereon a computer program, wherein the computer program when executed implements the SQL injection prediction model training method of any one of claims 1-7.

Description

SQL injection prediction model training method, system and storage medium Technical Field The invention belongs to the technical field of SQL injection detection, and relates to a SQL injection prediction model training method, a SQL injection prediction model training system and a storage medium. Background In order to solve the defects of the traditional SQL injection detection method, a plurality of experts propose an SQL injection detection method based on machine learning. For example, model training is performed by extracting dictionary words and SQL tokens as a dataset and labeling, and then SQL injection detection is performed using SVM classification algorithms. Or performing SQL injection detection by optimizing word segmentation mode and generating specific marker sequence as data and combining a naive Bayesian algorithm and access control. Expert collects system logs and traffic on network nodes, generates multi-source datasets through correlations between them, and finally performs model training by extracting SQL injection features. In the face of continuously changing SQL injection, a single classifier cannot well collect classification features, and an ensemble learning method can combine a plurality of different classifiers to improve accuracy and stability of sample classification, such as using different classifiers of logistic regression, decision trees, neural networks and the like, and voting or average weighting the results to determine a final classification result. Or preprocessing the SQL injection sample data to obtain unified format and coding, extracting text features and rule features from the preprocessed SQL injection sample data, fusing the features to obtain a dataset, inputting the dataset into different algorithms such as SVM, adaboost, decision tree, random forest, logistic regression, KNN, bayes and the like to train out classifier models of multiple machine learning, and finally adopting a cross-validation optimal model. The training of the existing SQL injection detection model is based on the existing machine learning algorithm, and the model performance is greatly dependent on the SQL injection information carried by the data set and the feature vector thereof and the learning process of the model itself. However, the existing machine learning algorithm generally needs a long training time (high complexity of training time) when facing a large amount of SQL injection data or performing ensemble learning, and the loss function (such as square error, mean square error, logarithmic loss or cross entropy, etc.) of the existing machine learning algorithm is easy to fit due to performance loss caused by data unbalance and boundary blurring in SQL injection feature learning training, so that the detection effect is not ideal (the detection accuracy is low). Aiming at the problems of unbalanced samples, difficult-to-learn samples, boundary samples and the like in SQL injection prediction training, the SQL type balance factors, SQL difficult-to-sample focusing parameters and smooth hinge loss are coupled, and a brand-new SQL injection loss function is defined. Disclosure of Invention Aiming at the technical problems, the invention aims to provide a training method, a system and a storage medium of an SQL injection prediction model, designs a brand new SQL injection loss function, couples SQL type balance factors, SQL difficult sample focusing parameters and smooth hinge loss, reduces the time complexity of model training, avoids over fitting or under fitting of the trained model, and improves the accuracy of machine learning SQL injection detection. The technical solution for realizing the purpose of the invention is as follows: a SQL injection prediction model training method comprises the following steps: S01, constructing an SQL injection prediction model, and constructing an SQL injection loss function in the SQL injection prediction model training : ; Wherein, the For the SQL-type balance factor,For the SQL difficult sample focus parameter,The probability of the model prediction is represented,In order to smooth out the hinge loss function,Is characterized by SQL loadIs used for the type value of (a),Is characterized by SQL loadIs a predicted value of (2); S02, calculating to obtain a loss function Is a first partial derivative and a second partial derivative of (c), the calculated loss functionThe first partial derivative and the second partial derivative of (2) are substituted into the information gain; and S03, constructing a decision tree structure, training to obtain optimal SQL injection characteristics and optimal split nodes, and obtaining the optimal decision tree structure and a corresponding SQL injection prediction model. In a preferred embodiment, in step S01The definition is as follows: ; is a SQL type balance factor; ; Representation model prediction A probability of 1 is given to the user,The definition is as follows: ; 。 in a preferred embodiment, the s