《Web安全之机器学习入门》笔记:第十一章 11.3 Apriori算法挖掘XSS相关参数

        通常情况下Apriori算法主要用于推荐系统,在网络安全中如何使用呢?本小节通过挖掘XSS相关参数,来我家潜在的关联关系。

1.数据集

        本小节通过xssed网站的样例以及WAF拦截日志提取的XSS攻击日志作为样本,位于data/xss-2000.txt中,具体如下《Web安全之机器学习入门》笔记:第十一章 11.3 Apriori算法挖掘XSS相关参数_第1张图片

        机器是没有办法将其识别为日志的,需要逐行读取数据,并将其向量化。比较简单的做法就是按照一定的分隔符切割为单词向量,代码如下所示

    myDat=[]
    with open("../data/xss-2000.txt") as f:
        for line in f:
            #/discuz?q1=0&q3=0&q2=0%3Ciframe%20src=http://xxooxxoo.js%3E
            index=line.find("?")
            if index>0:
                line=line[index+1:len(line)]
                tokens=re.split('\=|&|\?|\%3e|\%3c|\%3E|\%3C|\%20|\%22|<|>|\\n|\(|\)|\'|\"|;|:|,|\%28|\%29',line)
                myDat.append(tokens)
        f.close()

 打印前三行token

    print(myDat[0])
    print(myDat[1])
    print(myDat[2])

如下所示

['', 'onmouseover', '', 'prompt', '42873', '', 'bad', '', '', '', '']
['op', 'map', 'maptype', '1', 'city', 'test', 'script', 'alert', '/42873/', '', '/script', '', '']
['op', 'map', 'maptype', '1', 'defaultcity', '%e5', '', 'alert', '/42873/', '', '//', '']

2. 使用Apriori算法挖掘

        这里采取置信度接近1,如下所示

    L, suppData = apriori(myDat, 0.15)
    rules = generateRules(L, suppData, minConf=0.6)

3.完整代码

from apriori import apriori
from apriori import generateRules
import re

if __name__ == '__main__':
    myDat=[]
    with open("../data/xss-2000.txt") as f:
        for line in f:
            #/discuz?q1=0&q3=0&q2=0%3Ciframe%20src=http://xxooxxoo.js%3E
            index=line.find("?")
            if index>0:
                line=line[index+1:len(line)]
                tokens=re.split('\=|&|\?|\%3e|\%3c|\%3E|\%3C|\%20|\%22|<|>|\\n|\(|\)|\'|\"|;|:|,|\%28|\%29',line)
                myDat.append(tokens)
        f.close()

    L, suppData = apriori(myDat, 0.15)
    rules = generateRules(L, suppData, minConf=0.99)
    print('rules:\n', rules)

4.运行结果

frozenset({'a'}) --> frozenset({''}) conf: 1.0
frozenset({'c'}) --> frozenset({''}) conf: 1.0
frozenset({'c'}) --> frozenset({'42873'}) conf: 1.0
frozenset({'page'}) --> frozenset({''}) conf: 1.0
frozenset({'/'}) --> frozenset({''}) conf: 1.0
frozenset({'/'}) --> frozenset({'1'}) conf: 0.9936507936507937
frozenset({'//'}) --> frozenset({''}) conf: 1.0
frozenset({'//'}) --> frozenset({'alert'}) conf: 0.9941348973607038
frozenset({'/script'}) --> frozenset({''}) conf: 1.0
frozenset({'1'}) --> frozenset({''}) conf: 1.0
frozenset({'alert'}) --> frozenset({''}) conf: 1.0
frozenset({'script'}) --> frozenset({''}) conf: 1.0
frozenset({'script'}) --> frozenset({'/script'}) conf: 1.0
frozenset({'42873'}) --> frozenset({''}) conf: 1.0
frozenset({'c'}) --> frozenset({'42873', ''}) conf: 1.0
frozenset({'/'}) --> frozenset({'1', ''}) conf: 0.9936507936507937
frozenset({'//'}) --> frozenset({'', 'alert'}) conf: 0.9941348973607038
frozenset({'script'}) --> frozenset({'', '/script'}) conf: 1.0
frozenset({'script', 'alert'}) --> frozenset({'', '/script'}) conf: 1.0
frozenset({'1', 'script'}) --> frozenset({'', '/script'}) conf: 1.0
frozenset({'1', 'script', 'alert'}) --> frozenset({'', '/script'}) conf: 1.0
rules:
 [(frozenset({'a'}), frozenset({''}), 1.0), (frozenset({'c'}), frozenset({''}), 1.0), (frozenset({'c'}), frozenset({'42873'}), 1.0), (frozenset({'page'}), frozenset({''}), 1.0), (frozenset({'/'}), frozenset({''}), 1.0), (frozenset({'/'}), frozenset({'1'}), 0.9936507936507937), (frozenset({'//'}), frozenset({''}), 1.0), (frozenset({'//'}), frozenset({'alert'}), 0.9941348973607038), (frozenset({'/script'}), frozenset({''}), 1.0), (frozenset({'1'}), frozenset({''}), 1.0), (frozenset({'alert'}), frozenset({''}), 1.0), (frozenset({'script'}), frozenset({''}), 1.0), (frozenset({'script'}), frozenset({'/script'}), 1.0), (frozenset({'42873'}), frozenset({''}), 1.0), (frozenset({'c'}), frozenset({'42873', ''}), 1.0), (frozenset({'/'}), frozenset({'1', ''}), 0.9936507936507937), (frozenset({'//'}), frozenset({'', 'alert'}), 0.9941348973607038), (frozenset({'script'}), frozenset({'', '/script'}), 1.0), (frozenset({'script', 'alert'}), frozenset({'', '/script'}), 1.0), (frozenset({'1', 'script'}), frozenset({'', '/script'}), 1.0), (frozenset({'1', 'script', 'alert'}), frozenset({'', '/script'}), 1.0)]

如上所示,比如'script'和'1'、'alert'一起出现的话,基本上会100%导致'/scipt'.

你可能感兴趣的:(Web安全之机器学习入门,web安全,机器学习,Apriori,XSS攻击,网络安全)