Web Attack Payload Identification and Interpretability Analysis Based on Graph Convolutional Network

Web attack payload identification is a significant part of the Web defense system. The current Web attack payload identification usually combines natural language processing and deep learning to automatically build a detection model to intercept malicious payloads. However, these detection methods ignore the bidirectional association between fields and is prone to the payload dilution problem for long strings. In addition, the weak interpretability of deep learning models makes it difficult for researchers to solve the problem of model pollution and adjust the model according to the prediction logic. Therefore, this paper proposes a new Web attack payload identification method based on Graph Convolutional Network (GCN), which can effectively extract Web payload features and help model interpretability analysis. The core of this method is to transform the text feature problem into a graph feature extraction problem and to understand the structure and content of the Web payload from the graph perspective. The method performs node embedding on the Web payload graph through GCN, then converts the embedding vector into a graph feature vector through a feature fusion method. The node ablation method is used to analyze malicious payloads' interpretability and calculate the predicted impact rate of nodes inside the graph structure. The experiments on the CSIC 2010 v2 HTTP dataset show that the method proposed in this paper has high accuracy for identifying Web attack payloads, and the node embedding of the Relational Graph Convolutional Network (RGCN) method is more suitable for identifying Web attack payloads than other GCN methods. The research results of the paper show that the model interpretability analysis based on the Web payload graph is reasonable and can effectively assist researchers in adjusting the model and preventing the problem of model pollution.